Data Processing Addendum
Last updated: 1 July 2026
This Addendum forms part of the agreement between the merchant ("Controller") and Barikreativa srl ("Processor") for the provision of UCP Optimizer, and reflects the parties' obligations under the GDPR.
1. Subject matter & duration
The Processor processes catalog data on the Controller's behalf for the duration of the app installation. Processing ends on uninstall, after which data is deleted.
2. Nature & purpose
Scoring, monitoring, and optimizing product data for AI shopping agents, as described in the Privacy Policy. No special-category data and no customer personal data are processed.
3. Subprocessors
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Database | EU (Frankfurt) |
| Render | Hosting | EU (Frankfurt) |
| OpenAI | LLM enrichment | US, under DPA / SCCs, no training on inputs |
| Shopify | Admin API & Catalog MCP | Per Shopify terms |
4. Security measures
- Encryption of access tokens at rest (AES-256-GCM) and TLS in transit.
- Least-privilege access scopes (product read/write only).
- Tenant isolation between merchant stores.
- Automated retention purge and deletion on uninstall / redaction.
5. Data subject rights & assistance
The Processor assists the Controller in responding to data subject requests and honors Shopify's mandatory compliance webhooks. As no customer PII is stored, customer data-request and redaction webhooks are acknowledged accordingly.
6. Breach notification
The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data.
7. Contact
Barikreativa srl — ivan@barikreativa.com.