Data Processing Agreement
This Data Processing Agreement ("DPA") supplements the Gold Shield Terms of Service and applies whenever Gold Shield processes Personal Data (as defined under the EU General Data Protection Regulation 2016/679 and UK GDPR) on your behalf in connection with your use of the Service.
This DPA is offered as a standing agreement. By using the Service in a jurisdiction subject to GDPR or UK GDPR, you accept this DPA. Customers who require a counter-signed copy may request one at hello@goldshield.app.
- Parties and roles
- Subject matter and duration
- Nature and purpose of processing
- Categories of data and data subjects
- Processor obligations and Customer instructions
- Sub-processors
- Security measures
- International transfers
- Personal data breach notification
- Data subject rights
- Audits and inspections
- Return or deletion at termination
- Liability
- Contact and DPO
1. Parties and roles
Customer (you) acts as the Controller of Personal Data relating to your Etsy shop, your customers, and any data you submit to the Service.
SubLuna, operating Gold Shield ("Processor", "we") processes Personal Data on your behalf, only on your documented instructions, in accordance with this DPA.
2. Subject matter and duration
This DPA covers all processing of Personal Data carried out by us in providing the Service, for the duration of your subscription plus the limited retention period described in our Privacy Policy.
3. Nature and purpose of processing
We process Personal Data solely to:
- Provide the Service: countdown timers, AI reply suggestions, review surfacing, listing monitoring
- Send you the notifications you have requested (deadline reminders, review alerts)
- Maintain account, billing, and support functions
- Detect and prevent abuse, fraud, and security incidents
- Comply with legal obligations
We do notuse your Personal Data to train AI models for other customers, sell it, aggregate it with other customers' data, or process it for any purpose outside the Service.
4. Categories of data and data subjects
Categories of Personal Data
- Customer (seller) account data: email, optional name, billing status, settings
- Etsy shop data accessed via OAuth: shop information, listings, orders, transaction records, reviews
- Etsy buyer data contained in forwarded notification emails: buyer first name (as Etsy displays it), message content, review text, order numbers
- Service usage logs: IP address, request timestamps, browser metadata
Categories of data subjects
- Customers (Etsy sellers)
- Customers' buyers, where their messages or reviews appear in forwarded notifications
- Customer support correspondents
We do not knowingly process special categories of data (Article 9 GDPR), data of children under 16, or government-issued identifiers.
5. Processor obligations and Customer instructions
We will:
- Process Personal Data only on your documented instructions, including those embedded in the Service's functionality, except where required by EU, UK, or Member-State law (in which case we will inform you, unless that law prohibits notice)
- Ensure that personnel authorized to process Personal Data are bound by confidentiality
- Implement appropriate technical and organizational security measures (Section 7)
- Assist you, taking into account the nature of processing and the information available to us, in fulfilling your obligations under Articles 32–36 GDPR
- Make available all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits (Section 11)
- Not engage sub-processors except as set out in Section 6
If we reasonably believe that an instruction infringes EU or UK data protection law, we will inform you and may decline to act on the instruction.
6. Sub-processors
You provide a general authorization for us to engage sub-processors. Our current sub-processors are:
| Sub-processor | Processing activity | Location |
|---|---|---|
| Vercel Inc. | Application hosting and edge delivery | USA / global edge |
| Supabase Inc. | Database, authentication, storage | EU (Frankfurt) and/or USA |
| Anthropic, PBC | AI inference (zero-retention enabled) | USA |
| Postmark (ActiveCampaign) | Transactional email + inbound parsing of forwarded notifications | USA |
| Stripe / LemonSqueezy | Billing and payment processing | USA / EU |
| Sentry / BetterStack | Error monitoring and uptime checks | USA / EU |
We have entered into written agreements with each sub-processor that impose data protection obligations no less protective than those in this DPA. We remain liable for our sub-processors' acts and omissions to the extent required by applicable law.
We will provide at least 30 days' notice by email before adding or replacing a sub-processor that processes Personal Data of your data subjects. If you object on reasonable data protection grounds, we will work with you in good faith. If we cannot resolve the objection, you may terminate the affected portions of the Service with a pro-rata refund of prepaid fees.
7. Security measures
We implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including:
- Encryption in transit: TLS 1.2 or higher for all connections
- Encryption at rest: AES-256 for databases and backups
- Secrets management: OAuth tokens and API keys stored in encrypted vault
- Access controls: least-privilege access, two-factor authentication for personnel, audit logging
- Network security: firewalls, isolated production environment
- Vulnerability management: automated dependency scanning, prompt patching
- Backups: regular encrypted backups, tested recovery procedures
- Personnel: confidentiality obligations and security training
- Incident response: documented breach response plan
We periodically review and update these measures. A current technical and organizational measures summary is available on request at hello@goldshield.app.
8. International transfers
When we transfer Personal Data outside the European Economic Area, the United Kingdom, or Switzerland, we rely on:
- The European Commission's Standard Contractual Clauses (Module 2 — Controller to Processor) of 4 June 2021, incorporated by reference and deemed executed by acceptance of this DPA
- The UK International Data Transfer Addendum, where transfers originate in the UK
- The EU-U.S. Data Privacy Framework, where applicable
- Additional contractual and technical safeguards (e.g. encryption, pseudonymization)
Where the SCCs apply, the parties' respective roles are: Customer is data exporter, SubLuna is data importer, the optional docking clause is included, and the supervisory authority is the competent authority of the data exporter's jurisdiction.
9. Personal data breach notification
If we become aware of a Personal Data breach affecting your data, we will notify you without undue delay and, where feasible, within 72 hours of becoming aware. The notification will include, to the extent known:
- The nature of the breach, including the categories and approximate number of data subjects and records concerned
- Likely consequences
- Measures we have taken or propose to take to mitigate the breach
- Contact details for further information
We will cooperate with you and provide reasonable assistance to enable you to meet your own breach notification obligations to supervisory authorities and data subjects.
10. Data subject rights
Taking into account the nature of the processing, we will assist you with appropriate technical and organizational measures, insofar as possible, to fulfill your obligations to respond to data subject requests under Articles 12–22 GDPR (access, rectification, erasure, restriction, portability, objection).
If a data subject contacts us directly about Personal Data we process for you, we will refer them to you and notify you of the request.
11. Audits and inspections
You may, at your own cost and at reasonable intervals (no more than once per twelve-month period unless required by a supervisory authority or following a confirmed breach), audit our compliance with this DPA. The audit may be conducted by:
- Reviewing security and compliance documentation we provide on request, including any third-party security certifications and reports we hold; or
- An independent third-party auditor reasonably acceptable to both parties, bound by confidentiality, with at least 30 days' advance written notice, conducted during normal business hours, and not disrupting our operations
You will share audit results with us in confidence.
12. Return or deletion at termination
On termination of the Service for any reason, you may export your data through Service features for a period of 30 days. After that period, we will delete or anonymize all Personal Data processed on your behalf, except where retention is required by law (e.g. tax records under Ukrainian law), subject to the same protections under this DPA.
13. Liability
Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits liability that cannot be limited under applicable law (e.g. for fines imposed by supervisory authorities arising from a party's breach of GDPR).
14. Contact
For all matters relating to this DPA, including data subject requests, audit requests, or sub-processor objections, contact us at:
Email: hello@goldshield.app
Operator: SubLuna (independent product, based in Ukraine)
We do not currently have a statutory obligation to appoint a Data Protection Officer. The contact above is the responsible person for data protection matters and will respond promptly.
This DPA is provided for transparency. It is not a substitute for legal advice; if your organization requires customized contract terms or a counter-signed agreement, please contact us.