Data Processing Agreement

Last updated: May 2026. This Data Processing Agreement (“DPA”) forms part of the RankBird Terms & Conditions by reference. Working version pending final legal review.

1. Subject matter & roles

This DPA applies whenever RankBird processes personal data on the Client’s behalf in the context of the Service. The Client acts as controller and RankBird as processor within the meaning of Art. 4 GDPR. For personal data RankBird processes for its own purposes (e.g. account management, billing, security, product analytics) RankBird acts as controller — see our Privacy Policy.

2. Nature, purpose and duration

RankBird processes personal data only as needed to provide the Service: scanning the Client’s Shopify store, generating and publishing content, computing performance metrics, integrating with Google Search Console and storing the Client’s configuration. Processing lasts for the term of the agreement, plus the retention periods defined below.

3. Categories of data subjects and personal data

• Data subjects: the Client’s authenticated administrators; visitors to the Client’s Shopify store (only insofar as their data is made available via Shopify APIs to which RankBird is granted access).
• Personal data: name, email, role and language of admin users; OAuth tokens; technical identifiers (store handle, shop ID); aggregated analytics; personal data the Client voluntarily includes in prompts, briefs or templates.

RankBird deliberately does not process special categories of personal data (Art. 9 GDPR). The Client must not supply such data via the Service.

4. Client instructions

RankBird processes personal data only on the Client’s documented instructions, including regarding international transfers, save for legal obligations under EU or Dutch law. The Client’s instructions are set out in the Terms & Conditions, this DPA, and the configuration the Client makes in-product. RankBird informs the Client if, in its opinion, an instruction breaches the GDPR.

5. Security measures (TOMs)

RankBird takes appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption in transit (TLS 1.2+) and at rest for stored Client Data.
• Role-based access control with least-privilege defaults; production access restricted to named engineers.
• Hardened cloud infrastructure with provider security baselines (firewalling, network isolation, automated patching).
• Audit logging of administrative actions on production systems.
• Secure SDLC: code review, dependency scanning, pre-prod environments separated from production.
• Backup and recovery procedures with regular restore tests.
• Incident-response plan and on-call rotation.

6. Sub-processors

The Client authorizes RankBird to engage sub-processors to deliver the Service. The current list is on Sub-processors. RankBird informs Clients in advance of intended changes (adding or replacing a sub-processor); the Client may object within 30 days on reasonable grounds, in which case the parties work in good faith on an alternative or, failing that, the Client may terminate the affected part of the Service for convenience.

RankBird imposes on each sub-processor data-protection obligations no less protective than those in this DPA and remains liable for the acts and omissions of its sub-processors.

7. International transfers

When transferring personal data outside the European Economic Area, RankBird relies on (a) an adequacy decision under Art. 45 GDPR (e.g. the EU-US Data Privacy Framework for certified US sub-processors), or (b) the European Commission’s Standard Contractual Clauses (Decision 2021/914), supplemented by additional safeguards as required by case law (Schrems II).

8. Data-subject rights

Taking into account the nature of the processing, RankBird assists the Client with appropriate technical and organizational measures in meeting its obligation to respond to data-subject requests under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection). Requests received directly by RankBird are forwarded to the Client without undue delay.

9. Data breaches

RankBird informs the Client without undue delay (and in any event within 72 hours of becoming aware) of a breach involving the Client’s personal data and provides the information referred to in Art. 33(3) GDPR so the Client can meet its own notification obligations.

10. Audits & information

RankBird makes available to the Client all information necessary to demonstrate compliance with this DPA. On reasonable prior written notice, no more than once per 12 months (and at the Client’s expense), the Client may have RankBird’s processing activities audited by a mutually agreed independent auditor bound by appropriate confidentiality obligations. RankBird may satisfy this obligation by making relevant third-party audit reports available (e.g. SOC 2 / ISO 27001) where available.

11. Return and deletion

On expiry or termination of the agreement, RankBird will, at the Client’s choice, delete or return all personal data processed on the Client’s behalf within 30 days, except where EU or Dutch law requires storage. Backups containing the data are deleted according to RankBird’s retention schedule, with continued protection of the data while it exists in backup form.

12. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions in the Terms & Conditions. Nothing in this DPA limits or excludes a party’s liability for breach of its own obligations under applicable data-protection law.

13. Term & precedence

This DPA takes effect on acceptance of the Terms & Conditions and remains in force as long as RankBird processes personal data on the Client’s behalf. In case of conflict between this DPA and the Terms & Conditions, this DPA prevails for data-protection matters.