C ClearToMake← Back to website

1. Parties and precedence

The Shopify merchant is the controller and Maximilian Brückmann is the processor. This agreement forms part of the ClearToMake terms and takes precedence for processing personal data on the merchant's behalf.

2. Processing instructions

The processor processes personal data only to provide, secure, support, and maintain ClearToMake, on documented merchant instructions expressed through use of the service, unless Union or Member State law requires otherwise. The processor promptly informs the merchant if an instruction appears to infringe applicable data protection law.

3. Confidentiality and security

Persons authorised to process data are bound to confidentiality and receive access only as needed. Measures include TLS in transit, encrypted provider-managed storage, tenant-scoped access, Shopify-authenticated staff sessions, access logging, data minimisation, retention controls, and tested deletion webhooks.

4. Sub-processors

The merchant gives general authorisation to use Shopify, Railway, Resend, and Cloudflare for the purposes described in the privacy notice. The processor remains responsible for their data-protection obligations and will give reasonable notice of a material change so the merchant can object on legitimate data-protection grounds.

5. Data-subject requests and compliance

Taking account of the nature of processing, the processor assists the merchant with access, correction, restriction, portability, objection, and deletion requests. ClearToMake implements Shopify's mandatory customer data request, customer redaction, and shop redaction webhooks.

6. Incidents, impact assessments, and audits

The processor notifies the merchant without undue delay after becoming aware of a personal-data breach affecting the merchant's data and provides reasonably available information. The processor assists with impact assessments and supervisory-authority consultations where the processing requires it. On reasonable notice, the processor provides information necessary to demonstrate compliance and permits proportionate audits, subject to confidentiality and security safeguards.

7. Return and deletion

At the merchant's choice, data is returned where technically available or deleted at the end of the service, unless applicable law requires storage. Active-store retention periods are stated in the privacy notice; uninstall and Shopify redaction events delete merchant data from the active database.

8. International transfers

Transfers outside the EEA use an applicable adequacy decision, approved standard contractual clauses, or another safeguard under Chapter V GDPR. Relevant provider safeguards are documented in their contractual privacy terms.

Annex: processing details

Subject and duration

Operation of the approval workflow for the term of the merchant's ClearToMake service.

Nature and purpose

Reading order context; storing proofs and workflow state; sending requested transactional approval messages; recording decisions; and protecting production release.

Data subjects

Merchant customers and authorised merchant staff.

Data categories

Shop domain, staff session identifiers, order reference, product title, customer email, proof files, notes, decision history, timestamps, and approval receipts. No payment-card data is processed.

Contact

support@cleartomake.com