1. Roles
For personal data submitted by you (the "Customer"), MerchGuard acts as data processor. The Customer is the data controller and determines the purposes and means of processing.
For account/billing data, MerchGuard acts as data controller; see the Privacy Policy for that role.
2. Scope & Duration
This DPA applies to processing of personal data by MerchGuard on behalf of the Customer in the course of providing the Service, for the duration of the Service agreement and any post-termination retention period.
3. Categories of data
- · Customer identifiers (Customer-supplied email, Clerk user ID).
- · Listing content the Customer submits (title, description, tags, materials, price, optional shop / production-partner fields).
- · Scan output (risk score, violations, evidence, AI telemetry).
4. Sub-processors
MerchGuard engages the sub-processors below to deliver the Service. Each sub-processor is bound by data-protection terms substantially equivalent to this DPA. We will give 14 days' notice of new sub-processors via the Service or email.
| Sub-processor | Purpose | Region |
|---|---|---|
| Cloudflare, Inc. | Edge hosting, CDN, DDoS protection, KV rate-limiting | Global edge |
| Neon, Inc. | Postgres database | EU (Frankfurt) |
| Clerk, Inc. | Authentication, user management | US |
| Anthropic, PBC | Claude AI inference (no training on inputs per API ToS) | US |
| Resend, Inc. | Transactional email | US / EU |
| Lemon Squeezy, LLC | Payment processing (primary) | US |
| Stripe, Inc. | Payment processing (alternate) | US / EU |
| PostHog Inc. | Product analytics (self-hosted EU) | EU |
| Functional Software, Inc. (Sentry) | Error tracking | EU |
| Etsy, Inc. | Listing OAuth + public listing fetch (only when user connects shop or pastes URL) | US |
5. Security measures
- · Data in transit: TLS 1.2+ everywhere.
- · Data at rest: encrypted at provider level (Neon, Cloudflare KV).
- · Access: principle of least privilege, MFA required on production tooling.
- · Logging: production logs retained 30 days; no listing content in error reports.
- · Incident response: notification within 72 hours of confirmed personal-data breach.
6. International transfers
Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (Module Two: Controller-to-Processor) with supplementary measures. The full list of non-EEA sub-processors and their legal basis is in §4 above.
7. Data subject requests
We assist the Customer in responding to data subject requests at no additional cost for reasonable volumes. Submit requests to hello@merchguard.app.
8. Deletion / return
On termination, we delete or return all personal data within 30 days, except where retention is legally required (e.g. billing records, 7 years).
9. Audit
We will provide reasonable assistance for the Customer's GDPR Art. 28(3)(h) audit obligations, typically by sharing recent third-party security reports of our sub-processors.