Data Processing Agreement (DPA)

By using Kinetic’s Services, the Customer acknowledges and agrees to both the Terms and this DPA. For the purposes of this DPA, Kinetic Software GmbH acts as a Data Processor on behalf of the Customer, who is the Data Controller under applicable data protection laws (including the EU General Data Protection Regulation, “GDPR”).

This document is also available as a downloadable PDF, under this link.

1. Subject Matter and Duration of Processing

Kinetic processes personal data solely to provide its interactive email technology. This processing continues for the duration of the Customer’s use of the Services and for up to 90 days thereafter, unless otherwise required by law.

2. Nature and Purpose of Processing

Kinetic processes customer data including data from Shopify and Klaviyo such as order and transaction data, email addresses, and personal details like names and contact information for the purpose of generating, sending and analyzing interactive marketing emails.

3. Categories of Data Subjects

End customers of the Customer, email subscribers, and other users whose personal data the Customer chooses to include in the Service.

4. Roles and Responsibilities

The Customer is responsible for lawfully collecting and controlling all personal data and ensuring a valid legal basis under GDPR (e.g., consent or legitimate interest). Kinetic will only process personal data on documented instructions from the Customer, unless required by law.

5. Processor Obligations

Kinetic will:

• Implement appropriate technical and organizational measures to protect personal data;

• Ensure confidentiality and train personnel accordingly;

• Notify the Customer of any suspected or confirmed personal data breach without undue delay (no later than 24 hours);

• Assist the Customer in responding to data subject requests (e.g., access, deletion, rectification);

• Inform the Customer without delay if they believe that an instruction violates applicable data protection law.

• Delete or return personal data upon request or after 90 days post-termination, unless legally required to retain it.

• Support the Customer in complying with the obligations set out in Articles 32 to 36 of the GDPR, particularly in the case of security incidents and data protection impact assessments.

6. Security Measures

Kinetic maintains security controls including encryption at rest and in transit, access restrictions, multi-factor authentication, and regular security audits.

7. Sub-processors

Kinetic may use sub-processors to deliver the Service (including Google Cloud, PostHog, and others as listed in our Privacy Policy). Sub-processors are bound by similar data protection obligations. The Customer will be notified at least 30 days in advance of any material changes via email and may object on reasonable grounds.

8. International Transfers

Where personal data is transferred outside the EU/EEA (e.g., to US-based sub-processors), Kinetic ensures appropriate safeguards such as EU Standard Contractual Clauses (SCCs) are in place.

9. Audit and Documentation

Upon request, Kinetic will make available information necessary to demonstrate compliance with this DPA and GDPR. The Customer may audit Kinetic’s processing activities, subject to reasonable notice and confidentiality obligations.

10. Intellectual Property

All IP related to Kinetic’s technology and services remains the sole property of Kinetic Software GmbH.

11. Liability

Kinetic shall not be liable for data protection violations resulting from the Customer’s unlawful or incorrect instructions. Each party remains liable in accordance with applicable law.