Data Processing Agreement

Last updated: April 23, 2026

1. Roles

  • Merchant acts as Data Controller for shopper personal data processed through their store.
  • Drapify acts as Data Processor on the Merchant's behalf.

2. Subject Matter and Duration

Drapify processes personal data only as instructed by the Merchant for the duration of the subscription, in order to provide the Service described in our Terms of Service.

3. Categories of Data Processed

  • Shopper photos, optional measurements
  • Names, email addresses, order information, shipping city/region/country
  • Conversation history with the AI assistant
  • Anonymous and pseudonymous identifiers

4. Categories of Data Subjects

Shoppers and prospective customers of the Merchant.

5. Drapify Obligations

We will:

  • Process personal data only on documented instructions from the Merchant
  • Ensure personnel processing personal data are bound by confidentiality
  • Implement appropriate technical and organizational security measures (see Security Policy)
  • Assist the Merchant with data subject requests where reasonably possible
  • Notify the Merchant without undue delay and within 72 hours of becoming aware of a personal data breach (see Security Incident Response Policy)
  • Delete personal data immediately when the merchant uninstalls the Service, with a verification sweep within 48 hours, subject only to limited retention required by law (e.g. audit logs retained up to 12 months for security purposes)
  • Make available information necessary to demonstrate compliance and allow for reasonable audits

6. Sub-Processors

Drapify uses sub-processors to deliver the Service, including infrastructure, AI inference, and email delivery providers. A current list is available on request at privacy@drapify.ai. We will give the Merchant prior notice of changes and an opportunity to object.

7. International Data Transfers

Where personal data is transferred outside the EEA, UK, or other regulated jurisdictions, we rely on Standard Contractual Clauses or other approved transfer mechanisms.

8. Data Subject Rights

The Merchant is responsible for responding to data subject requests. Drapify will reasonably assist in fulfilling these requests.

9. Security

See our Security Policy and Security Incident Response Policy for technical and organizational measures.

10. Liability

Liability under this DPA is subject to the limitations set out in our Terms of Service.

11. Governing Law

This DPA is governed by the same law as the Terms of Service (Lahore, Pakistan).

12. Contact

Email: privacy@drapify.ai

Related Policies