Legal Notices
Data Processing Agreement.
Data Processing Agreement
GDPR Compliance Addendum
Effective Date: January 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Use between Drop LLC and/or Starfox Analytics SAS (collectively or individually, "Processor" or "Drop") and the Customer ("Controller") and governs the processing of personal data by Drop on behalf of the Controller in connection with the AI content generation services ("Services").
This DPA is designed to meet the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation.
Drop LLC — 14205 N Mopac Expy Ste 570, Austin, TX 78728, USA
Starfox Analytics SAS (SIREN 898 522 941) — 6 Rue d'Armaillé, 75017 Paris, France (EU Representative)
Definitions
Any information relating to an identified or identifiable natural person.
Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
An identified or identifiable natural person whose Personal Data is processed.
Any third party engaged by Drop to process Personal Data on behalf of the Controller.
The standard contractual clauses approved by the European Commission for international transfers of personal data.
Scope and Purpose of Processing
Drop processes Personal Data solely to provide the Services described in the Terms of Use, specifically AI-powered content generation for e-commerce.
Processing includes storage, analysis, and AI-based transformation of data uploaded by the Controller to generate creative content.
Product information, images, descriptions, and any other data uploaded by the Controller which may include Personal Data.
Employees, customers, or other individuals whose data may be included in the Controller's uploaded content.
Processing continues for the duration of the service agreement plus any retention period required by law or as specified in the Privacy Policy.
Processor Obligations
Drop agrees to:
- Process Personal Data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorized to process Personal Data have committed to confidentiality
- Implement appropriate technical and organizational security measures
- Respect the conditions for engaging Sub-processors as set forth in Section 5
- Assist the Controller in responding to Data Subject requests
- Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations
- Delete or return Personal Data upon termination of services, at the Controller's choice
- Make available all information necessary to demonstrate compliance and allow for audits
Controller Obligations
The Controller represents and warrants that:
- It has obtained all necessary consents and legal bases for the processing of Personal Data
- Its instructions to Drop comply with applicable data protection laws
- It will inform Drop of any changes to applicable data protection requirements that may affect the processing
Sub-processors
The Controller provides general authorization for Drop to engage Sub-processors, including the transfer of data between Drop LLC and Starfox Analytics SAS. A current list of Sub-processors is available upon request.
Drop will notify the Controller of any intended changes to Sub-processors at least 30 days in advance, allowing the Controller to object.
Drop will ensure that Sub-processors are bound by data protection obligations no less protective than those in this DPA.
Security Measures
Drop implements appropriate technical and organizational measures including:
- Encryption of Personal Data in transit and at rest
- Access controls and authentication measures
- Regular security testing and monitoring
- Incident response procedures
- Employee training on data protection
Data Breach Notification
Drop will notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach. The notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach.
International Data Transfers
Drop LLC is based in the United States and Starfox Analytics SAS is based in France. For transfers of Personal Data from the EEA, UK, or Switzerland to the United States, Drop relies on the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor).
Starfox Analytics SAS serves as the EU representative for GDPR purposes pursuant to Article 27 of the GDPR.
By entering into this DPA, the parties are deemed to have executed the Standard Contractual Clauses, which are incorporated by reference. The SCCs shall be deemed completed as follows: (a) Module Two applies; (b) Clause 7 (Docking Clause) is included; (c) Option 2 of Clause 9(a) applies with 30 days' notice; (d) The optional redress language in Clause 11 is excluded; (e) Option 1 of Clause 17 applies with Irish law governing; (f) Clause 18(b) applies with disputes resolved in Ireland.
Data Subject Rights
Drop will assist the Controller in fulfilling its obligations to respond to Data Subject requests, including requests for access, rectification, erasure, restriction, portability, and objection. If Drop receives a request directly from a Data Subject, it will promptly forward the request to the Controller unless legally prohibited.
Audit Rights
Drop will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and allow for audits by the Controller or an authorized auditor. Audits shall be conducted with reasonable advance notice, during normal business hours, and subject to confidentiality obligations.
Data Deletion and Return
Upon termination of the Services or upon the Controller's request, Drop will delete or return all Personal Data to the Controller, unless retention is required by applicable law. Drop will certify deletion upon request.
Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Use. Drop shall be liable for damages caused by processing that violates the GDPR or this DPA only to the extent required by Article 82 of the GDPR.
General Provisions
In the event of a conflict between this DPA and the Terms of Use, this DPA shall prevail with respect to data protection matters.
This DPA may be amended to reflect changes in data protection law. Drop will notify the Controller of material changes.
This DPA is governed by the laws of Ireland with respect to GDPR matters, and the laws of the State of Texas or France (depending on the contracting entity) for all other matters.
Contact
For data protection inquiries:
14205 N Mopac Expy Ste 570
Austin, TX 78728, USA
legal@shopwithdrop.com
6 Rue d'Armaillé
75017 Paris, France
SIREN: 898 522 941
legal@shopwithdrop.com