Legal Notices

Data Processing Agreement.

Legal

Data Processing Agreement

GDPR Compliance Addendum

Effective Date: January 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Use between Drop LLC and/or Starfox Analytics SAS (collectively or individually, "Processor" or "Drop") and the Customer ("Controller") and governs the processing of personal data by Drop on behalf of the Controller in connection with the AI content generation services ("Services").

This DPA is designed to meet the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation.

Processor Entities

Drop LLC — 14205 N Mopac Expy Ste 570, Austin, TX 78728, USA

Starfox Analytics SAS (SIREN 898 522 941) — 6 Rue d'Armaillé, 75017 Paris, France (EU Representative)

01

Definitions

"Personal Data"

Any information relating to an identified or identifiable natural person.

"Processing"

Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Data Subject"

An identified or identifiable natural person whose Personal Data is processed.

"Sub-processor"

Any third party engaged by Drop to process Personal Data on behalf of the Controller.

"Standard Contractual Clauses" or "SCCs"

The standard contractual clauses approved by the European Commission for international transfers of personal data.

02

Scope and Purpose of Processing

Subject Matter

Drop processes Personal Data solely to provide the Services described in the Terms of Use, specifically AI-powered content generation for e-commerce.

Nature and Purpose

Processing includes storage, analysis, and AI-based transformation of data uploaded by the Controller to generate creative content.

Types of Personal Data

Product information, images, descriptions, and any other data uploaded by the Controller which may include Personal Data.

Categories of Data Subjects

Employees, customers, or other individuals whose data may be included in the Controller's uploaded content.

Duration

Processing continues for the duration of the service agreement plus any retention period required by law or as specified in the Privacy Policy.

03

Processor Obligations

Drop agrees to:

  • Process Personal Data only on documented instructions from the Controller, unless required by law
  • Ensure that persons authorized to process Personal Data have committed to confidentiality
  • Implement appropriate technical and organizational security measures
  • Respect the conditions for engaging Sub-processors as set forth in Section 5
  • Assist the Controller in responding to Data Subject requests
  • Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations
  • Delete or return Personal Data upon termination of services, at the Controller's choice
  • Make available all information necessary to demonstrate compliance and allow for audits
04

Controller Obligations

The Controller represents and warrants that:

  • It has obtained all necessary consents and legal bases for the processing of Personal Data
  • Its instructions to Drop comply with applicable data protection laws
  • It will inform Drop of any changes to applicable data protection requirements that may affect the processing
05

Sub-processors

Authorization

The Controller provides general authorization for Drop to engage Sub-processors, including the transfer of data between Drop LLC and Starfox Analytics SAS. A current list of Sub-processors is available upon request.

Notification

Drop will notify the Controller of any intended changes to Sub-processors at least 30 days in advance, allowing the Controller to object.

Sub-processor Agreements

Drop will ensure that Sub-processors are bound by data protection obligations no less protective than those in this DPA.

06

Security Measures

Drop implements appropriate technical and organizational measures including:

  • Encryption of Personal Data in transit and at rest
  • Access controls and authentication measures
  • Regular security testing and monitoring
  • Incident response procedures
  • Employee training on data protection
07

Data Breach Notification

Drop will notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach. The notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach.

08

International Data Transfers

Transfer Mechanism

Drop LLC is based in the United States and Starfox Analytics SAS is based in France. For transfers of Personal Data from the EEA, UK, or Switzerland to the United States, Drop relies on the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor).

EU Representative

Starfox Analytics SAS serves as the EU representative for GDPR purposes pursuant to Article 27 of the GDPR.

SCCs Incorporation

By entering into this DPA, the parties are deemed to have executed the Standard Contractual Clauses, which are incorporated by reference. The SCCs shall be deemed completed as follows: (a) Module Two applies; (b) Clause 7 (Docking Clause) is included; (c) Option 2 of Clause 9(a) applies with 30 days' notice; (d) The optional redress language in Clause 11 is excluded; (e) Option 1 of Clause 17 applies with Irish law governing; (f) Clause 18(b) applies with disputes resolved in Ireland.

09

Data Subject Rights

Drop will assist the Controller in fulfilling its obligations to respond to Data Subject requests, including requests for access, rectification, erasure, restriction, portability, and objection. If Drop receives a request directly from a Data Subject, it will promptly forward the request to the Controller unless legally prohibited.

10

Audit Rights

Drop will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and allow for audits by the Controller or an authorized auditor. Audits shall be conducted with reasonable advance notice, during normal business hours, and subject to confidentiality obligations.

11

Data Deletion and Return

Upon termination of the Services or upon the Controller's request, Drop will delete or return all Personal Data to the Controller, unless retention is required by applicable law. Drop will certify deletion upon request.

12

Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Use. Drop shall be liable for damages caused by processing that violates the GDPR or this DPA only to the extent required by Article 82 of the GDPR.

13

General Provisions

Precedence

In the event of a conflict between this DPA and the Terms of Use, this DPA shall prevail with respect to data protection matters.

Amendments

This DPA may be amended to reflect changes in data protection law. Drop will notify the Controller of material changes.

Governing Law

This DPA is governed by the laws of Ireland with respect to GDPR matters, and the laws of the State of Texas or France (depending on the contracting entity) for all other matters.

14

Contact

For data protection inquiries:

Drop LLC

14205 N Mopac Expy Ste 570
Austin, TX 78728, USA
legal@shopwithdrop.com

Starfox Analytics SAS

6 Rue d'Armaillé
75017 Paris, France
SIREN: 898 522 941
legal@shopwithdrop.com