Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

Definitions:

• Personal Data: Any information relating to an identified or identifiable natural person (Data Subject), including but not limited to email addresses, browsing behavior, shopping cart contents, and session data.
• Data Subject: End customers of the Merchant who visit the Merchant's e-commerce website.
• Processing: Any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
• Services: ZeroCart's cart abandonment recovery SaaS platform, including behavioral tracking, predictive AI analysis, and automated email recovery campaigns.
• Applicable Law: GDPR (EU Regulation 2016/679), UK GDPR, CCPA (California Consumer Privacy Act), CAN-SPAM Act, CASL (Canada's Anti-Spam Legislation), and any other applicable data protection legislation.

2.1 Subject Matter: This DPA governs the Processing of Personal Data by ZeroCart on behalf of the Merchant for the purpose of providing cart abandonment recovery services.

2.2 Duration: This DPA remains in effect for the duration of the Merchant's active subscription to ZeroCart's Services and for a period of 30 days thereafter to allow for data return or deletion as specified in Article 11.

2.3 Scope: This DPA applies exclusively to Personal Data of Data Subjects (end customers) collected via ZeroCart's tracking snippet (snippet.js) installed on the Merchant's website.

3.1 Nature of Processing: ZeroCart performs the following Processing operations:

• Collection of behavioral data via tracking pixel
• Recording of cart abandonment events
• Storage of email addresses and cart contents
• Analysis using proprietary AI technology (NeuralyX)
• Automated sending of cart recovery emails
• Aggregation of performance analytics

3.2 Purpose of Processing:

• Detect cart abandonment events on Merchant's website
• Predict likelihood of cart recovery using AI models
• Send personalized email reminders to Data Subjects
• Provide Merchant with analytics and performance insights
• Improve ZeroCart's proprietary AI models (using anonymized, aggregated data only)

3.3 Processing Instructions: ZeroCart processes Personal Data solely based on documented instructions from the Merchant as set forth in:

• This DPA
• ZeroCart's Terms of Service
• Configuration settings within the Merchant's ZeroCart dashboard
• API calls made by the Merchant to ZeroCart's systems

Important: If ZeroCart believes any instruction from the Merchant would violate Applicable Law, ZeroCart shall immediately inform the Merchant and suspend Processing until the instruction is modified or withdrawn.

4.1 Types of Personal Data Processed:

• Identification Data: Email addresses
• Behavioral Data: Pages viewed, time on site, click events, scroll depth, mouse movements
• Transaction Data: Cart contents (product names, quantities, prices), cart value, currency
• Technical Data: IP addresses (anonymized), browser type, device type, session IDs, visitor IDs
• Temporal Data: Timestamps of cart creation, abandonment, and interactions

4.2 Categories of Data Subjects:

• Website visitors who add items to cart but do not complete checkout
• Prospective customers of the Merchant's e-commerce platform
• Residents of any jurisdiction where the Merchant operates

4.3 Sensitive Data: ZeroCart does not knowingly collect or process special categories of Personal Data as defined in GDPR Article 9 (racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, etc.). If such data is inadvertently collected, it will be immediately deleted upon discovery.

4.4 Children's Data: ZeroCart's Services are not intended for websites primarily targeting children under 13 (US) or under 16 (EU). Merchant warrants that their platform does not primarily target minors. ZeroCart disclaims all liability for violations of COPPA (Children's Online Privacy Protection Act) or equivalent laws.

5.1 Processing on Instructions: ZeroCart shall process Personal Data only on documented instructions from the Merchant, unless required to do so by applicable law.

5.2 Confidentiality:

• ZeroCart ensures that all personnel with access to Personal Data are bound by confidentiality obligations (NDA)
• Access to Personal Data is limited to personnel who require it to perform their duties
• Confidentiality obligations survive termination of employment

5.3 Security Measures: ZeroCart implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

5.4 Sub-processors:

The Merchant grants ZeroCart general authorization to engage sub-processors. Current sub-processors are listed below. ZeroCart shall:

• Notify Merchant 30 days before adding or replacing any sub-processor
• Provide Merchant with the right to object within 14 days
• Impose data protection obligations on sub-processors equivalent to this DPA
• Remain fully liable to Merchant for any sub-processor's failure to fulfill obligations

5.5 Assistance with Data Subject Rights: ZeroCart shall assist the Merchant in responding to Data Subject requests to exercise their rights under Applicable Law:

• Access (GDPR Art. 15): ZeroCart will provide available Personal Data within 7 business days of Merchant's request
• Rectification (GDPR Art. 16): ZeroCart will correct inaccurate data within 48 hours
• Erasure (GDPR Art. 17): ZeroCart will delete data within 24 hours (30 days for backups)
• Data Portability (GDPR Art. 20): ZeroCart will provide data in JSON format within 7 business days
• Objection (GDPR Art. 21): ZeroCart will immediately cease Processing and blacklist the Data Subject's email
• Restriction (GDPR Art. 18): ZeroCart will suspend Processing (except storage) during dispute resolution

Formal DSAR Procedure: When ZeroCart receives a Data Subject Access Request related to Merchant's customers:
1. ZeroCart notifies Merchant within 5 business days
2. ZeroCart provides available data within 20 business days
3. ZeroCart deletes data within 30 days if erasure requested
Merchant remains responsible for responding to Data Subjects directly.

5.6 Data Breach Notification:

In the event of a Personal Data breach, ZeroCart shall:

• Notify Merchant within 24 hours of becoming aware of the breach
• Provide details including: nature of breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed
• Assist Merchant in notifying supervisory authorities (if required within 72 hours under GDPR)
• Assist Merchant in notifying affected Data Subjects (if required under Applicable Law)
• Document all breaches in an internal register
• Cooperate with Merchant's investigation and remediation efforts

5.7 Data Protection Impact Assessments: Upon Merchant's request, ZeroCart shall provide reasonable assistance with Data Protection Impact Assessments (DPIA) required under GDPR Article 35.

5.8 Audit Rights:

• Merchant may audit ZeroCart's compliance with this DPA once per year
• Audits require 30 days' written notice
• Audits shall be conducted during business hours and shall not unreasonably interfere with ZeroCart's operations
• Merchant shall bear all costs of audits unless material non-compliance is found
• ZeroCart may provide third-party certifications (ISO 27001, SOC 2) in lieu of audit
• Audit findings shall be kept confidential and shared only between parties

5.9 Demonstration of Compliance: Upon request, ZeroCart shall make available to Merchant all information necessary to demonstrate compliance with this DPA and Applicable Law, including:

• Technical and organizational security measures documentation
• Sub-processor agreements
• Security audit reports (redacted if necessary)
• Breach incident register (relevant entries only)
• Certifications and compliance attestations

6.1 Legal Basis: Merchant warrants that it has a valid legal basis for Processing Personal Data and sharing it with ZeroCart, including:

• Consent from Data Subjects (GDPR Article 6(1)(a)), OR
• Legitimate interest (GDPR Article 6(1)(f)) with proper balancing test conducted, OR
• Contractual necessity (GDPR Article 6(1)(b))

6.2 Privacy Policy Obligations: Merchant shall:

• Maintain an up-to-date Privacy Policy on their website
• Include information about ZeroCart's data processing using the template provided by ZeroCart
• Provide clear notice to Data Subjects before collecting their data via ZeroCart's tracking snippet
• Obtain any required consents before activating ZeroCart's tracking

6.3 CAN-SPAM Compliance (US Law): Merchant shall:

• Provide a valid physical mailing address to be included in all email footers
• Ensure all emails contain accurate "From" and "Subject" headers
• Not send emails to harvested or purchased email lists
• Honor unsubscribe requests within 10 business days

CASL Compliance (Canada): Merchants targeting Canadian consumers must comply with Canada's Anti-Spam Legislation (CASL). ZeroCart provides CAN-SPAM compliant infrastructure. Compliance with CASL is Merchant's sole responsibility. Merchant must obtain express or implied consent from Canadian recipients before sending commercial electronic messages.

6.4 Compliance with Local Laws: Merchant is solely responsible for compliance with all applicable laws in their jurisdiction and the jurisdictions of their Data Subjects, including but not limited to:

• GDPR (EU)
• UK GDPR (United Kingdom)
• CCPA / CPRA (California)
• CAN-SPAM Act (USA)
• CASL (Canada)
• LGPD (Brazil)
• PIPEDA (Canada)
• Any other applicable privacy or consumer protection legislation

6.5 Instructions: Merchant shall only provide Processing instructions that are lawful and do not violate Applicable Law. Merchant shall not instruct ZeroCart to:

• Send spam or unsolicited emails
• Process data without a valid legal basis
• Violate Data Subjects' rights
• Circumvent technical security measures
• Retain data longer than necessary

7.1 Transfer Mechanisms: Where Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognized as providing adequate data protection:

• ZeroCart relies on Standard Contractual Clauses (SCCs) approved by the European Commission
• For US-based sub-processors, ZeroCart ensures compliance with the EU-US Data Privacy Framework (DPF) where applicable
• ZeroCart conducts Transfer Impact Assessments (TIA) as required under Schrems II case law

7.2 US Data Transfers: ZeroCart AI LLC is based in Wyoming, USA. Personal Data collected from EU/UK/Swiss Data Subjects may be transferred to and processed in the United States. ZeroCart implements supplementary measures including:

• End-to-end encryption
• Pseudonymization where feasible
• Contractual prohibition on government data access requests without legal challenge
• Transparency commitments regarding government requests

7.3 Sub-processor Transfers: Sub-processors located outside the EEA/UK/Switzerland are bound by equivalent data protection obligations through:

• Standard Contractual Clauses incorporated in sub-processor agreements
• Data Privacy Framework certification (where applicable)
• Supplementary security measures as required

8.1 Retention Period:

• Behavioral Data (cart events, browsing): Maximum 90 days from collection
• Email Addresses (active recovery campaigns): Until campaign completion or opt-out, maximum 90 days
• Analytics Data (aggregated, anonymized): Indefinitely (no Personal Data)
• Merchant Account Data: Duration of subscription + 3 years (for legal/accounting purposes)
• Backup Data: Maximum 30 days (rolling backups)

8.2 Automated Deletion: ZeroCart implements automated deletion processes:

• Daily cron job deletes behavioral data older than 90 days
• Weekly cleanup removes orphaned records
• Monthly audit ensures retention policies are enforced

8.3 Manual Deletion: Data Subjects or Merchant may request deletion at any time. ZeroCart will:

• Delete from production database within 24 hours
• Delete from backups within 30 days (next backup rotation)
• Provide confirmation of deletion to requesting party

9.1 AI Model Training License: Merchant grants ZeroCart a non-exclusive, worldwide, royalty-free, perpetual license to use anonymized and aggregated behavioral data to improve ZeroCart's proprietary AI models (NeuralyX).

9.2 Anonymization Guarantee:

• No Personally Identifiable Information (PII) is used for model training
• Email addresses are stripped and replaced with anonymous hashes
• Behavioral patterns are aggregated across thousands of Data Subjects
• No individual-level data can be reconstructed from trained models

9.3 License Survival: This license survives termination of this Agreement. Anonymized data already incorporated into AI models cannot be "un-trained" after termination.

9.4 Competitive Use: Merchant acknowledges that improved AI models may benefit all ZeroCart customers, including potential competitors of Merchant. This is inherent to the SaaS model.

9.5 NeuralyX Trade Secret Protection

9.5.1 Trade Secret Components: The following aspects of NeuralyX are confidential trade secrets:

• Machine learning algorithms and model architectures
• Training methodologies and data processing pipelines
• Predictive scoring systems and decision logic
• Performance optimization techniques
• Source code, configuration files, and deployment procedures
• Training datasets and data preprocessing methods
• Feature engineering and signal weighting strategies

9.5.2 Prohibition on Reverse Engineering: Merchant shall NOT:

• Reverse engineer, decompile, or disassemble any part of NeuralyX
• Attempt to discover the source code, algorithms, or internal logic of NeuralyX
• Use automated tools to probe, test, or analyze NeuralyX's decision-making processes
• Extract or replicate NeuralyX's functionality for any competing product or service
• Share insights about NeuralyX's internal workings with third parties (except as required by law)
• Benchmark or compare NeuralyX against competing AI systems in a manner that reveals trade secrets

9.5.3 DTSA Protections and Penalties:

9.5.4 Merchant Acknowledgment: By accepting this DPA, Merchant acknowledges that:

• NeuralyX is a valuable trade secret of ZeroCart AI LLC
• Unauthorized disclosure or use would cause irreparable harm to ZeroCart
• Merchant has no right to access NeuralyX's source code or internal algorithms
• Merchant will not attempt to reverse engineer or replicate NeuralyX
• Violation of this section constitutes material breach of this DPA
• ZeroCart may seek immediate injunctive relief for violations (without posting bond)

9.5.5 Permitted Use: Merchant may:

• Use NeuralyX's outputs (predictions, scores, recommendations) for cart recovery
• View aggregated performance metrics in dashboard analytics
• Reference NeuralyX by name in marketing materials (e.g., "Powered by NeuralyX AI")
• Discuss general functionality of NeuralyX (e.g., "AI predicts cart recovery likelihood")

Clarification: This section does NOT prevent Merchant from using NeuralyX's outputs (predictions, analytics) for legitimate business purposes. It only prohibits attempting to discover, replicate, or misappropriate the underlying technology itself.

9.5.6 Survival: The trade secret protections in this Article 9.5 survive termination of this DPA and the underlying subscription indefinitely, as trade secrets do not expire.

10.1 Processor Liability: ZeroCart shall be liable to Merchant for damages arising from:

• ZeroCart's breach of this DPA
• ZeroCart's failure to comply with Applicable Law
• Unauthorized access to Personal Data due to ZeroCart's negligence
• Failure of a sub-processor to fulfill obligations (ZeroCart remains fully liable)

10.2 Limitation of Liability: ZeroCart's total liability under this DPA is limited to the total fees paid by Merchant in the 12 months preceding the claim. This limitation does not apply to:
• Gross negligence or willful misconduct by ZeroCart
• Data breaches caused by ZeroCart's failure to implement required security measures
• Violations of confidentiality obligations

10.3 Controller Indemnification: Merchant shall indemnify, defend, and hold harmless ZeroCart from and against any claims, liabilities, damages, costs, and expenses (including reasonable attorney fees) arising from:

• Merchant's failure to comply with Applicable Law (GDPR, CCPA, CAN-SPAM, CASL, etc.)
• Merchant's failure to update their Privacy Policy as required
• Merchant's failure to obtain required consents from Data Subjects
• Merchant's provision of unlawful Processing instructions
• Third-party claims related to Merchant's non-compliance
• Regulatory fines imposed on ZeroCart due to Merchant's violations

Critical: ZeroCart is NOT responsible for Merchant's legal compliance. ZeroCart provides tools and templates to assist with compliance, but implementation and adherence to local laws remains Merchant's sole responsibility.

10.4 Indirect Damages: Neither party shall be liable for indirect, incidental, consequential, or punitive damages, including lost profits, loss of data, or business interruption, except in cases of gross negligence or willful misconduct.

11.1 Termination Options: Upon termination or expiration of the Services, Merchant may choose:

11.2 Exceptions (Not Deleted):

• Invoices and payment records: Retained for 10 years (legal/accounting requirement)
• Aggregated analytics (anonymized): Retained indefinitely (no Personal Data)
• Audit logs: Retained for 12 months (security/compliance requirement)
• Anonymized AI training data: Cannot be deleted (already incorporated into models)

11.3 Legal Hold: If ZeroCart receives a legal order or subpoena requiring retention of data, ZeroCart will:

• Notify Merchant immediately
• Preserve data as legally required
• Limit access to minimum necessary personnel
• Delete data once legal hold is lifted

12.1 Governing Law: This DPA shall be governed by and construed in accordance with the laws of the State of Wyoming, United States of America, without regard to its conflict of laws principles.

12.2 GDPR Compliance: Nothing in this Article shall limit the application of GDPR to Merchants or Data Subjects located in the European Economic Area or United Kingdom.

12.3 Dispute Resolution:

• Negotiation: Parties shall attempt to resolve disputes through good-faith negotiation for 30 days
• Mediation: If negotiation fails, disputes shall be referred to mediation (costs split equally)
• Arbitration: If mediation fails, disputes shall be resolved through binding arbitration in Wyoming under AAA Commercial Arbitration Rules
• Exception: Either party may seek injunctive relief in court to protect confidential information or intellectual property

12.4 Jurisdiction for GDPR Claims: Data Subjects and supervisory authorities in the EU/UK retain their rights to bring claims in their local courts under GDPR Article 79.

13.1 Amendment Process: ZeroCart may amend this DPA to:

• Comply with changes in Applicable Law
• Reflect changes in sub-processors (with 30-day notice)
• Improve security measures or data protection
• Clarify existing provisions

13.2 Notice Period: Material changes require 30 days' advance notice via email and dashboard notification.

13.3 Right to Object: If Merchant objects to an amendment, Merchant may terminate the Services within the notice period without penalty.

13.4 Continued Use = Acceptance: Continued use of ZeroCart's Services after the notice period constitutes acceptance of the amended DPA.

14.1 Binding Agreement: By clicking "I Accept" or checking the acceptance checkbox, Merchant agrees to be bound by all terms of this DPA.

14.2 Electronic Signature: Merchant's electronic acceptance constitutes a legally binding signature equivalent to a handwritten signature under:

• U.S. Electronic Signatures in Global and National Commerce Act (E-SIGN Act)
• Uniform Electronic Transactions Act (UETA)
• EU eIDAS Regulation (for EU Merchants)

14.3 Record Keeping: ZeroCart maintains records of acceptance including:

• Date and time of acceptance (UTC timestamp)
• IP address of accepting party
• Email address of Merchant account
• Version of DPA accepted

14.4 Authority: By accepting, the individual represents and warrants that they have authority to bind the Merchant entity to this Agreement.

15.1 Severability: If any provision of this DPA is found invalid or unenforceable, the remaining provisions remain in full force.

15.2 No Waiver: Failure to enforce any provision does not constitute a waiver of that provision.

15.3 Entire Agreement: This DPA, together with ZeroCart's Terms of Service, constitutes the entire agreement regarding data processing.

15.4 Assignment: Merchant may not assign this DPA without ZeroCart's prior written consent. ZeroCart may assign to affiliates or in connection with a merger/acquisition.

15.5 Survival: Articles 9 (Training Data License), 10 (Liability), 11 (Data Deletion), and 12 (Governing Law) survive termination.

15.6 Language: This DPA is executed in English. Any translations are for convenience only; English version controls in case of conflict.