Data Processing Agreement
Ritely: AI Product Descriptions
Effective Date: March 13, 2026
Last Updated: March 13, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller," "Merchant") and Ritely ("Data Processor," "we," "us") and governs our processing of personal data on your behalf.
Contact: privacy@ritely.dev
1. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, as defined under applicable data protection laws (GDPR, CCPA, PIPEDA, LGPD, or equivalent).
- Processing: Any operation performed on personal data, including collection, storage, use, transmission, and deletion.
- Sub-processor: A third party engaged by the Data Processor to process personal data on behalf of the Data Controller.
- Applicable Data Protection Laws: GDPR (EU/EEA), UK GDPR, CCPA/CPRA (California), PIPEDA (Canada), LGPD (Brazil), and any other applicable data protection legislation.
2. Scope of Processing
2.1 Data Processed
Ritely processes product catalog data only. The categories of data processed are:
| Data Category | Examples | Contains Personal Data? |
| Product information | Titles, descriptions, tags, types | No (typically) |
| Product media | Image URLs | No |
| Product variants | Sizes, colors, prices, SKUs | No |
| Product metadata | Metafields, collections | No |
| Store identification | Store name, myshopify.com domain | No (business data) |
| Brand voice profiles | Writing style rules, example text | No (typically) |
2.2 Purpose Limitation
We process data exclusively for:
- Generating product descriptions, meta titles, meta descriptions, and bullet points
- Analyzing brand voice from merchant-provided examples
- Analyzing product images to enrich generated descriptions
- Evaluating generated content for quality and factual accuracy
- Tracking credit usage for subscription management
2.3 Personal Data Exclusion
Ritely does not request, access, or process:
- Customer names, email addresses, physical addresses, or phone numbers
- Order, transaction, or payment data
- Staff or employee personal data
- Any Shopify "protected customer data" as defined by Shopify's API Terms
If product data incidentally contains personal data (for example, a product description mentioning a designer's name), that data is processed solely for description generation and subject to the protections in this DPA.
3. Obligations of the Data Processor
We will:
- Process personal data only on documented instructions from the Data Controller (i.e., when you use Ritely's features)
- Ensure that persons authorized to process personal data have committed to confidentiality
- Implement appropriate technical and organizational security measures (see Section 5)
- Engage sub-processors only in accordance with Section 4
- Assist the Data Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection)
- Assist the Data Controller in ensuring compliance with obligations related to security, breach notification, and data protection impact assessments
- Delete or return all personal data upon termination of the service (see Section 6)
- Make available to the Data Controller all information necessary to demonstrate compliance with this DPA
4. Sub-processors
4.1 Authorized Sub-processors
| Sub-processor | Purpose | Location | Data Processed |
| Anthropic, PBC | AI model inference (Claude API) | United States | Product titles, descriptions, tags, metafields, image URLs, brand voice profiles |
| Railway | Application hosting and database | United States | All application data (encrypted at rest) |
| Sentry | Error monitoring | United States | Error logs (may contain product data fragments in stack traces) |
| Better Stack | Uptime monitoring and logging | European Union | Application logs (may contain product data fragments) |
4.2 Anthropic Sub-processor Details
Anthropic processes data under their Commercial Terms of Service:
- API inputs and outputs are not used to train AI models
- All data is automatically deleted within 30 days of processing
- Anthropic maintains SOC 2 Type II certification
- Anthropic's Data Processing Addendum applies to all API usage
4.3 Sub-processor Changes
We will notify the Data Controller of any intended changes to sub-processors (additions or replacements) via email or in-app notification, providing at least 30 days' notice before the new sub-processor begins processing. The Data Controller may object to a new sub-processor by contacting privacy@ritely.dev within that 30-day period.
5. Security Measures
We implement the following technical and organizational measures:
Technical Measures
- Encryption in transit: All data transmitted via HTTPS/TLS 1.2+
- Encryption at rest: Database encrypted using AES-256
- Authentication: Shopify session token verification (no third-party cookies or standalone auth)
- Access control: Application-level access controls; no direct database access in production
- API security: All third-party API calls (Anthropic, Shopify) use encrypted connections and scoped API keys
- Monitoring: Real-time error tracking (Sentry) and uptime monitoring (Better Stack)
Organizational Measures
- Principle of least privilege for all system access
- No human access to merchant product data during normal operations
- Incident response procedures (see Section 7)
6. Data Retention and Deletion
| Event | Action | Timeline |
| Active account | Data retained for service operation | Ongoing |
| App uninstalled | Account marked inactive | Immediate |
Shopify shop/redact webhook received | All merchant data permanently deleted (product data, generated descriptions, brand voice profiles, account settings) | Within 48 hours |
Shopify customers/redact webhook received | Acknowledged (Ritely stores no customer data) | Immediate |
Shopify customers/data_request webhook received | Acknowledged (Ritely stores no customer data) | Immediate |
| Anthropic processing cache | Automatically purged by Anthropic | Within 30 days |
Upon termination, we certify deletion of all merchant data and can provide written confirmation upon request.
7. Data Breach Notification
In the event of a personal data breach:
- We will notify the Data Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
- Notification will include: nature of the breach, categories and approximate number of data records affected, likely consequences, and measures taken or proposed to address the breach
- We will cooperate with the Data Controller in notifying supervisory authorities and affected data subjects as required by applicable law
8. International Data Transfers
8.1 Transfer Mechanisms
Data is processed in the United States. For transfers from the EEA, UK, or Switzerland:
- We rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914) for controller-to-processor transfers
- Anthropic (as sub-processor) maintains its own SCCs and data transfer safeguards as documented in their Commercial Terms
8.2 Supplementary Measures
In addition to SCCs, we implement:
- Encryption of data in transit and at rest
- Access controls preventing unauthorized access
- Transparency reporting (we will notify merchants of any government data access requests to the extent permitted by law)
9. Data Subject Rights
We will assist the Data Controller in fulfilling data subject requests under applicable law:
| Right | How We Support |
| Access | Export all stored data for a merchant on request |
| Rectification | Merchant can edit any data through Ritely's interface or Shopify admin |
| Erasure | Uninstalling the app triggers full deletion; manual deletion available on request |
| Portability | Data export in standard format (JSON/CSV) on request |
| Restriction | Can pause processing for a specific merchant on request |
| Objection | Merchant can uninstall at any time; specific objections handled case-by-case |
Requests should be directed to privacy@ritely.dev. We will respond within 30 days.
10. Audits
The Data Controller has the right to audit our compliance with this DPA. Audits may be conducted:
- By the Data Controller or an appointed third-party auditor
- With reasonable advance notice (minimum 30 days)
- During normal business hours
- No more than once per calendar year (unless required by a supervisory authority or following a data breach)
We will provide reasonable cooperation and access to relevant information, systems, and facilities.
11. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service, except where applicable data protection law prohibits such limitation.
12. Term and Termination
This DPA takes effect upon installation of the Ritely app and remains in effect for as long as we process personal data on behalf of the Data Controller. Upon termination:
- All personal data will be deleted in accordance with Section 6
- The obligations in this DPA survive to the extent necessary to complete deletion and address any pending data subject requests
13. Governing Law
This DPA is governed by the same law that governs the Terms of Service, except that:
- For merchants in the EEA, GDPR provisions are governed by the law of the EU Member State in which the merchant is established
- For merchants in the UK, UK GDPR provisions are governed by English law
- SCCs are governed by the law of the EU Member State specified in the SCCs
14. Contact
For questions about this DPA or to exercise any rights:
- Email: privacy@ritely.dev
- Support: ben@ritely.dev
Ritely is operated by Ben Smith. For data processing inquiries, contact privacy@ritely.dev.