Icon search

EasyGift - Data Processing Addendum

Last updated: 12 June 2026

Our commitment to GDPR compliance and data protection standards.

This Data Processing Addendum ("Addendum") applies to the processing of personal data by Shop Circle Holdings Ltd (trading as 506), One Kingdom Street, Paddington Central, London W2 6BD, United Kingdom ("506") in connection with the EG Auto Add to Cart Free Gift app ("EasyGift", the "App").

Definitions

  • 1.1 "Agreement" means the Shop Circle Holdings Ltd (trading as 506) Terms of Use and Privacy Policy for the App, or other written or electronic agreement governing the provision of services.
  • 1.2 "Customer Data" means any personal data that 506 processes on Customer's behalf.
  • 1.3 "Data Protection Laws" means all applicable worldwide legislation on data protection and privacy, including CCPA and laws from Canada, Australia, and Brazil.
  • 1.4(a) "European Data Protection Laws" means data protection laws applicable to Europe, including the EU GDPR (Regulation (EU) 2016/679) and the UK GDPR (the EU GDPR as retained in UK law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019).
  • 1.4(b) "CCPA/CPRA" means the California Consumer Privacy Act and California Privacy Rights Act, as amended.
  • 1.5 "Europe" means EEA member states, Switzerland, and the United Kingdom.
  • 1.6 "Personal data", "controller", "data subject", "processor", and "processing" carry the meanings defined under applicable Data Protection Laws.
  • 1.7 "Sensitive Data" means special categories of data including social security numbers, genetic/biometric/health information, racial/ethnic/political/religious affiliation, and criminal records.
  • 1.8 "Sub-processor" means any processor engaged by 506 to assist with service obligations.
  • 1.9 "Security Incident" means an unauthorized breach causing destruction, loss, alteration, or unauthorized disclosure of Customer Data.

Roles and Responsibilities

  • 2.1 Under European Data Protection Laws (which, as defined in this Addendum, include the UK GDPR), 506 acts as processor on Customer's behalf. In relation to certain analytics and usage data described in the Privacy Policy, 506 may act as an independent controller.
  • 2.2 506 processes Customer Data per Annex A. Customer shall not provide Sensitive Data; 506 has no liability for Sensitive Data.
  • 2.3 Customer ensures 506's processing complies with applicable law. Where Customer acts as processor, Customer warrants authorization from third-party controllers.

Sub-Processing

  • 3.1 506 may engage Sub-processors. Currently authorized Sub-processors for the App:
    • (a) Shopify Inc. (Canada) - e-commerce platform provider and source of store and order data;
    • (b) Salesforce, Inc. (USA) - application hosting (Heroku);
    • (c) Amazon Web Services, Inc. (USA) - cloud infrastructure and hosting;
    • (d) MongoDB, Inc. (USA) - managed database hosting (MongoDB Atlas);
    • (e) Mixpanel, Inc. (USA) - product and usage analytics;
    • (f) Google LLC (USA) - cloud event and message processing (Google Cloud) and web analytics (Google Analytics);
    • (g) Freshworks Inc. (USA) - customer support ticketing (Freshdesk);
    • (h) Better Stack, Inc. (USA) - logging and monitoring;
    • (i) Fastly, Inc. (USA) - content delivery network;
    • (j) Anthropic, PBC (USA) - processing for AI-powered features (personal data shared is minimised as described in the Privacy Policy).
    • (k) Functional Software, Inc. (d/b/a Sentry) (USA) - application error tracking and performance monitoring.
  • 3.2 506 enters written agreements with Sub-processors containing data protection obligations no less protective than this Addendum, per Data Protection Laws. 506 is responsible for Sub-processor acts and omissions.
  • 3.3 506 informs Customer of new Sub-processors by updating the list in this Addendum as published on our website. Customer may request to receive email notification of Sub-processor changes by contacting support@506.io. Customer has 30 days from publication (or notification, where requested) to object if there is a material adverse effect on compliance.
  • 3.4 506 may be prevented from disclosing Sub-processor agreements due to confidentiality but shall provide relevant information upon request.

Security

  • 4.1 506 implements appropriate technical and organizational security measures protecting Customer Data from Security Incidents, as further described in Annex B.
  • 4.2 506 ensures authorized persons maintain confidentiality obligations (contractual or statutory).
  • 4.3 506 implements appropriate measures including physical security and regular backups.
  • 4.4 Upon Security Incident awareness, 506 shall: (a) notify Customer without undue delay, no later than 48 hours; (b) provide timely information; (c) promptly contain and investigate. Notification does not constitute fault acknowledgment.
  • 4.5 Customer is responsible for secure service use, including credential protection and data encryption.

Security Reports

  • 5.1 506 makes available information demonstrating compliance with this Addendum.
  • 5.2 Upon Customer's written request and subject to reasonable confidentiality obligations, 506 shall make available information necessary to demonstrate compliance with this Addendum and shall allow for and contribute to audits, including inspections, conducted by Customer or a third-party auditor mandated by Customer. Such audits shall be limited to once per twelve (12) month period, conducted during normal business hours with at least thirty (30) days' prior written notice, and at Customer's expense.

International Transfers

  • 6.1 506's primary application data servers are located in the United States. Customer Data is primarily stored and processed in the United States.
  • 6.2 Where Customer Data of Customers in the European Economic Area or the United Kingdom is transferred to the United States or to Sub-processors located outside the European Economic Area or the United Kingdom, 506 ensures appropriate safeguards are in place in accordance with applicable Data Protection Laws, including the use of Standard Contractual Clauses approved by the European Commission (Decision 2021/914) and/or the UK International Data Transfer Addendum issued by the ICO under Section 119A of the Data Protection Act 2018.
  • 6.3 506 shall inform Customer of the legal basis for any transfer of Customer Data to a third country and of the appropriate safeguards taken.
  • 6.4 To the extent that any transfer described in Section 6.2 requires such safeguards, the EU Standard Contractual Clauses (Module Two: Controller to Processor) and, in respect of transfers subject to UK Data Protection Laws, the UK International Data Transfer Addendum are incorporated into this Addendum by reference and shall be deemed completed with the information set out in Annex A, with Customer as data exporter and 506 as data importer. In the event of any conflict between this Addendum and the Standard Contractual Clauses or the UK International Data Transfer Addendum, the latter shall prevail to the extent of the conflict.

Deletion of Data

  • 7.1 Upon Agreement termination or expiration, 506 deletes or returns Customer Data except where legally required retention applies.
  • 7.2 Upon Customer deletion requests via Shopify webhooks, 506 confirms receipt and completes action within 30 days (unless legally required retention applies). Implemented webhooks: Data Requests, Customer Data Redaction, Shop Data Redaction.

Data Subject Rights and Cooperation

  • 8.1 506 provides reasonable assistance enabling Customer compliance with data subject rights under Data Protection Laws. 506 does not respond directly to data subject requests without Customer authorization, except where legally required.
  • 8.2 506 provides reasonably requested information regarding the Service enabling Customer to conduct data protection impact assessments and prior consultations.
  • 8.3 506 does not voluntarily provide government agencies Customer Data access. For compulsory requests from government agencies for Customers in Europe, 506 shall: (a) review legality; (b) inform agency of processor status; (c) attempt redirecting to Customer; (d) notify Customer via email allowing protective order pursuit; (e) provide minimum permissible information.
  • 8.4 CCPA/CPRA Standard - Processor does not receive Personal Information as service consideration. Processor shall not derive rights or benefits regarding Personal Information, nor combine it with other parties' information. Processor uses and discloses Personal Information solely for specified purposes. Processor refrains from selling or sharing Personal Information without Customer's written consent.

General

  • 9.1 Claims under this Addendum may be brought solely by the Agreement party Customer entity.
  • 9.2 This Addendum remains effective during 506's Customer Data processing or until Agreement termination.
  • 9.3 Upon conflict between this Addendum and the Agreement, this Addendum prevails.
  • 9.4 Shop Circle Holdings Ltd reserves the right to update or modify this Addendum from time to time. Continued use of the Services following any such update constitutes acceptance of the modified terms.
  • 9.5 This Addendum shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have non-exclusive jurisdiction over any disputes arising under this Addendum, without prejudice to any rights of data subjects under applicable Data Protection Laws.

Annex A

  • Categories of Data Subjects - Merchants (store owners) and their staff who use the App; and end customers of the merchant's online store, only to the limited extent that order and transaction data processed by the App constitutes personal data. 506 does not store end-customer contact details (names, email addresses, phone numbers, or shipping addresses).
  • Categories of Personal Data - Merchant contact information (store owner name, email address, store contact details); store data (store name, domain, Shopify plan, settings); cart and order data (order ID, products ordered, quantities, discounts, promotion rule triggers and outcomes); product and collection data (products, variants, collections, prices); and gift and promotion rule configurations; device and usage information (IP address, browser type, device information, session behaviour); app usage analytics (feature usage, dashboard interactions); and cookie data (session ID, CSRF token, Shopify OAuth tokens).
  • Frequency of Processing - Continuous and Customer-determined.
  • Subject Matter/Nature of Processing - Storage and processing necessary for providing, maintaining, and improving the service; disclosures per Agreement or legal compulsion.
  • Purpose of Processing - (a) Providing the service per the Agreement; (b) Customer-initiated processing; (c) reasonable Customer instructions consistent with the Agreement.
  • Duration/Retention Period - Per Section 7.
  • Sensitive Data - Not applicable. 506 does not intentionally process special category data as defined under Article 9 of the EU GDPR or equivalent provisions under UK GDPR.
  • Data Server Location - Primary servers: United States. Sub-processors may process data in the USA, Canada, and the United Kingdom as described in Section 3 and Section 6.
  • Transfer Mechanisms - EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and UK International Data Transfer Addendum (issued under Section 119A of the Data Protection Act 2018).

Annex B

Technical and Organisational Measures - 506 maintains technical and organisational measures designed to protect Customer Data, including: access controls and authentication (role-based access to production systems on a need-to-know basis, with multi-factor authentication for administrative access); encryption of Customer Data in transit (TLS) and at rest; logical segregation of production and non-production environments; regular backups and recovery procedures; logging and monitoring of production systems; confidentiality obligations and data protection awareness for personnel; due diligence on Sub-processors as described in Section 3; an incident response process supporting the notification commitments in Section 4; and data minimisation and deletion procedures as described in Section 7. 506 keeps these measures under review and may update them from time to time, provided that the overall level of protection is not materially reduced.

Privacy Policy

Terms of Use

Got questions? We have answers.

Help Center
Contact Support

Amazing apps that give your Shopify store superpowers.
Powered by Shop Circle

Links
Images and icons from icons8.com
© 506 is a trading name of FiftyPoint6 Holdings Ltd