Data Processing Agreement (DPA)

Last updated: May 8, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the merchant ("Data Controller," "you") and BrightLayer Lab LLC, a Virginia LLC that operates the Return Wise application ("Return Wise," "Data Processor," "we," "us"). This DPA governs the processing of personal data by the Data Processor on behalf of the Data Controller.

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
Processing: Any operation performed on personal data, as defined in Article 4(2) of the GDPR.
Data Subject: The identified or identifiable natural person to whom personal data relates (i.e., the merchant's customers).
Sub-processor: Any third party engaged by the Data Processor to process personal data on behalf of the Data Controller.
Applicable Data Protection Law: GDPR (EU) 2016/679, UK GDPR, the Australian Privacy Act 1988, and any other applicable data protection legislation.

2. Scope and Purpose

2.1 Subject Matter

The Data Processor processes personal data to provide the Return Wise return management service as described in the Terms of Service.

2.2 Duration

Processing continues for the duration of the merchant's use of the App, plus any retention period required to fulfill legal obligations or complete data deletion.

2.3 Nature and Purpose of Processing

Activity	Purpose
Return request creation	Process customer return requests on behalf of the merchant
Rule evaluation	Determine return offer based on merchant-configured rules
Native store credit issuance	Issue Shopify store credit refunds and optional bonus store credit transactions
Abuse detection	Identify unusual return patterns to protect the merchant
Email notifications	Send transactional emails related to return processing
Analytics	Provide aggregated return metrics to the merchant

2.4 Categories of Data Subjects

Customers of the merchant who look up orders or initiate return requests through the merchant's store

2.5 Types of Personal Data Processed

Customer email addresses
Shopify customer IDs
Order numbers and order IDs
Product and variant information from orders
Return reasons and notes provided by customers
Fulfillment dates
Customer tags (as stored in Shopify)
IP addresses and related request metadata used for rate limiting, abuse prevention, and operational security
Shopify store credit identifiers, including refund IDs, store credit account IDs, and bonus credit transaction IDs

3. Obligations of the Data Controller

The Data Controller shall:

Ensure there is a lawful basis for processing personal data through the App
Inform data subjects about the processing in accordance with Articles 13 and 14 of the GDPR
Maintain an accurate compliance contact email address in the App settings for privacy and data-rights communications
Respond to data subject requests within the timeframes required by applicable law
Configure appropriate data retention periods in the App settings
Ensure that any instructions given to the Data Processor comply with applicable data protection law
Notify the Data Processor without undue delay if they become aware of any data breach involving data processed by the App

4. Obligations of the Data Processor

The Data Processor shall:

4.1 Processing Instructions

Process personal data only on documented instructions from the Data Controller (as configured in the App settings and as described in the Terms of Service)
Not process personal data for any purpose other than providing the return management service
Inform the Data Controller if, in the Data Processor's opinion, an instruction infringes applicable data protection law

4.2 Confidentiality

Ensure that all personnel authorized to process personal data are bound by obligations of confidentiality

4.3 Security (Article 32 GDPR)

Implement appropriate technical and organizational measures, including:

Encryption of data in transit (HTTPS/TLS)
Cryptographic signing of customer portal session tokens
Rate limiting on customer-facing endpoints
Input validation and output encoding (XSS prevention)
Idempotency and duplicate-detection controls to prevent duplicate processing
Access controls on merchant admin endpoints (Shopify session authentication)
Automated data retention and purge mechanisms

4.4 Sub-processors

Current sub-processors:

Sub-processor	Purpose	Data Processed
Shopify	Platform provider, API services, native store credit refunds and bonus credit transactions	Order data, customer data, store credit transaction data
Resend (resend.com)	Transactional email delivery (merchant and customer notifications)	Recipient email addresses, message subject and body content (order numbers, return details, store credit amounts)
Render (render.com)	Application hosting and database storage	All application data

The Data Processor shall:

Maintain the current list of sub-processors in Section 4.4 of this DPA. When the Data Processor engages a new sub-processor, the Data Processor will update this DPA and make the updated list available to the Data Controller. The Data Controller may review the current sub-processor list at any time and may object to a new sub-processor by contacting the Data Processor; if the objection cannot be reasonably resolved, the Data Controller may terminate the affected Services without penalty.
Ensure sub-processors are bound by data protection obligations no less protective than those in this DPA
Remain fully liable for the acts and omissions of sub-processors

4.5 Data Subject Requests

Automatically process Shopify's customers/data_request webhooks by compiling the relevant customer data into a snapshot stored inside the authenticated Return Wise admin (the Compliance page) and notifying the merchant-designated compliance contact email; the customer's identifying details and the compiled payload are never included in the email subject or body, snapshot access is logged for compliance review, and snapshots are auto-purged 30 days after the request is received regardless of fulfillment status (supporting the right of access and portability under Articles 15 and 20 of the GDPR while keeping protected data out of email systems and bounding retention)
Automatically process Shopify's customers/redact webhooks by permanently deleting all customer data held in Return Wise's systems (return requests, return items, rule evaluation logs, abuse flags) — supporting the right to erasure under Article 17 of the GDPR. Data previously written to Shopify's own systems during normal return processing — such as order notes and order tags — remains on the Shopify platform and is managed by Shopify, not by Return Wise.
Assist the Data Controller with other data subject rights (rectification, objection, restriction) on a manual basis where the Data Processor holds the relevant data. Most such rights are exercised through the merchant's own workflow; the Data Processor will respond to reasonable written requests for data-level changes within 30 days.

4.6 Data Breach Notification

Notify the Data Controller without undue delay, and no later than 72 hours, after becoming aware of a personal data breach affecting the Data Controller's data
Provide sufficient information to enable the Data Controller to fulfill their breach notification obligations under Articles 33 and 34 of the GDPR
Cooperate with the Data Controller in investigating and remediating the breach

4.7 Data Protection Impact Assessments

Assist the Data Controller with data protection impact assessments (DPIAs) where required under Article 35 of the GDPR, taking into account the nature of processing and information available to the Data Processor

5. Data Retention and Deletion

5.1 Retention Period

Personal data is retained according to the Data Controller's configured retention period (default: 12 months, configurable from 1 to 60 months)
Terminal return records (completed, rejected, or failed) older than the configured period are removed by the application's scheduled retention cleanup process, which is ordinarily run daily

5.2 Deletion or Return on Termination

In accordance with Article 28(3)(g) of the GDPR, the Data Controller may choose either deletion or return of personal data at the end of the provision of services. At any time during the term of the service or before uninstalling the App, the Data Controller may self-serve a full data export from the authenticated Return Wise admin (Settings → Compliance → "Export all shop data"), which produces a structured, commonly used, and machine-readable JSON archive of the personal data processed on behalf of the Data Controller. If the Data Controller is unable to access the admin, the Data Processor will, on written request to support@returnwise.app, use commercially reasonable efforts to provide an equivalent export by an alternative secure channel within 30 days. In the absence of a return request before the deletion timelines below take effect, the Data Processor will delete the personal data as the default. The Data Processor shall delete existing copies of personal data after deletion or return is complete, unless retention is required by applicable law.

Upon termination of the service (app uninstallation):

On Shopify's app/uninstalled webhook, Return Wise marks the shop for cleanup and preserves its configuration during a short reinstall grace period (approximately 48 hours, aligned with Shopify's compliance schedule). A merchant who reinstalls within that window keeps their settings. After the grace period elapses, Return Wise's scheduled cleanup process permanently deletes all personal data held in Return Wise's systems for the shop.
On Shopify's shop/redact webhook, Return Wise deletes all personal data held in its systems for the shop immediately, without waiting for the grace period.
Data deleted by either path includes: return requests, return items, rule evaluation logs, configured return rules, abuse flags, GDPR export snapshots, GDPR access audit logs, shop settings, and authentication session data
Deletion from Return Wise is permanent and irreversible
Data previously written to Shopify's own systems by the App — including store credit refunds, bonus store credit transactions, customer records, order notes, and order tags applied during return processing — remains on the Shopify platform as Shopify-owned resources, governed by Shopify's own policies and not by Return Wise

5.3 Customer-Level Deletion

Upon receiving Shopify's customers/redact webhook:

All return requests, return items, rule evaluation logs, abuse flags, and any GDPR export snapshots and associated access audit log rows for the specified customer email are permanently deleted from Return Wise's systems
No anonymization is performed — data is fully removed from Return Wise's storage
Data previously written to Shopify's own systems by the App (such as order notes and order tags) remains on the Shopify platform and is managed by Shopify; Return Wise has no ability to retroactively remove it

6. International Transfers

The application and database are hosted on Render (render.com) with servers located in the United States. Personal data from Data Subjects in the European Economic Area (EEA), the United Kingdom, or Switzerland will be transferred to and processed in the United States.

6.1 EU Standard Contractual Clauses (Controller-to-Processor Transfers)

For transfers of personal data from the EEA to a third country that lacks an adequacy decision under Article 45 of the GDPR, the parties incorporate by reference the Standard Contractual Clauses (Module Two — Controller to Processor) adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021 (the "EU SCCs"). The Data Controller is the data exporter and the Data Processor (BrightLayer Lab LLC) is the data importer. The optional and modular elements of the EU SCCs are completed as follows:

Clause 7 (Docking clause): not used
Clause 9(a) (Sub-processors): Option 2 — general written authorization. The current sub-processor list and the change-notification process are set out in Section 4.4 of this DPA
Clause 11(a) (Independent dispute resolution): not selected
Clause 17 (Governing law): Option 1 — the law of the EU Member State in which the Data Controller is established, provided that Member State law allows for third-party beneficiary rights; otherwise, the law of Ireland
Clause 18 (Choice of forum and jurisdiction): the courts of the EU Member State whose law governs under Clause 17
Annex I.A (Parties): as identified in this DPA and in the Terms of Service
Annex I.B (Description of transfer): the categories of data subjects, categories of personal data, frequency and duration of transfer, nature and purpose of processing, retention period, and sub-processors are as set out in Sections 2.3, 2.4, 2.5, 4.4, 5.1, and 5.2 of this DPA
Annex I.C (Competent supervisory authority): the supervisory authority of the EU Member State of the Data Controller's establishment or, where the Data Controller has no EU establishment, the supervisory authority of the EU Member State in which the Data Controller's representative under Article 27 of the GDPR is designated
Annex II (Technical and organizational measures): as set out in Section 4.3 of this DPA
Annex III (List of sub-processors): as set out in Section 4.4 of this DPA

6.2 UK International Data Transfer Addendum

For transfers of personal data from the United Kingdom, the parties incorporate by reference the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0, issued by the UK Information Commissioner's Office under section 119A of the UK Data Protection Act 2018 (the "UK Addendum"), read together with the EU SCCs in Section 6.1. Tables 1, 2, and 3 of the UK Addendum are completed by reference to the EU SCCs and the corresponding sections and annexes of this DPA. In Table 4, neither party objects to changes to the Approved Addendum issued by the ICO from time to time.

6.3 Swiss Transfers

For transfers of personal data subject to the Swiss Federal Act on Data Protection (FADP), the EU SCCs in Section 6.1 apply with the following adaptations: references to the "GDPR" are read as references to the FADP where the FADP applies; the supervisory authority is the Swiss Federal Data Protection and Information Commissioner; and Swiss law governs transfers concerning Swiss-only data subjects.

6.4 Sub-processor Onward Transfers

Where the Data Processor's sub-processors transfer personal data outside the EEA, the United Kingdom, or Switzerland, those onward transfers are governed by the Standard Contractual Clauses, UK Addendum, and Data Processing Addenda published by each sub-processor (Shopify, Render, and Resend).

6.5 Adequacy

Where an adequacy decision under Article 45 of the GDPR or an equivalent UK or Swiss adequacy mechanism covers the destination country, the parties may rely on that adequacy decision in lieu of the SCCs and the UK Addendum.

7. Audit and Compliance Information

On reasonable written notice, and no more than once per calendar year (except where required by a supervisory authority or following a confirmed security incident affecting the Data Controller's data), the Data Controller may request:

Written responses to a reasonable data-protection and security questionnaire
Publicly available security and compliance documentation from the Data Processor's sub-processors (Shopify, Render, Resend) that demonstrate relevant certifications or controls
Documentation describing the Data Processor's technical and organizational measures as set out in Section 4.3

The Data Controller acknowledges that, as a small software operator, the Data Processor does not maintain the infrastructure for on-site audits or for providing direct access to production systems or personnel. Where an audit is compelled by a supervisory authority or required by applicable law, the Data Processor will cooperate in good faith with the Data Controller and the authority to respond to the specific request.

8. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service, except where applicable data protection law does not permit such limitations.

9. Governing Law

This DPA is governed by the same law that governs the Terms of Service between the parties, except for Section 6 (International Transfers), where the EU SCCs and the UK Addendum carry their own governing law and choice of forum as set out in Sections 6.1 and 6.2.

10. Contact

Data Processor contact for data protection matters:

Email: support@returnwise.app
Website: https://www.returnwise.app/

BrightLayer Lab LLC · Registered legal address published in the Privacy Policy

By installing and using Return Wise, the Data Controller accepts this Data Processing Agreement as part of the Terms of Service.