GDPR & Data Protection
GDPR and data protection at Arbyn
How Arbyn handles personal data under the EU GDPR, the UK GDPR, and comparable laws worldwide, including our roles, the rights you and your shoppers have, and the commitments in our Data Processing Addendum.
Last updated: July 3, 2026
01.Our commitment and the scope of this page
In plain terms, this page explains how Arbyn treats personal data, who is responsible for what, and how you and your shoppers can exercise data protection rights. It is written for store owners in the European Economic Area, the United Kingdom, and Switzerland, and it also serves store owners and shoppers elsewhere in the world who expect the same standard of care.
Arbyn is an AI customer support and sales agent that you install on your Shopify store from the Shopify App Store. It reads incoming support and sales messages across your connected channels, drafts and sends replies in your store's voice, and carries out the Shopify actions you have authorized. To do that work, Arbyn processes personal data that belongs to you as a store owner and personal data that belongs to the shoppers who contact your store. This page sets out how that processing is governed under Regulation (EU) 2016/679 (the EU GDPR), the UK GDPR as retained and amended by the Data Protection Act 2018 and the Data (Use and Access) Act 2025, the Swiss Federal Act on Data Protection, and the ePrivacy rules that apply to cookies and similar technologies.
This page doubles as a summary of the data protection commitments Arbyn makes to you as a processor. The full, binding version of those commitments lives in our Data Processing Addendum, which meets the requirements of Article 28 of the GDPR, incorporates the applicable Standard Contractual Clauses and the United Kingdom transfer tools, and takes effect for you on installation. Where this page and the Data Processing Addendum describe the same commitment, the Data Processing Addendum is the controlling document, and you can request a countersigned copy at any time.
Read this page together with our Privacy Policy, which covers United States and global privacy law in more detail, our Subprocessors page, which is the source of truth for the third parties that help us run Arbyn, and our Terms of Service. Nothing on this page is legal advice, and you remain responsible for your own compliance as the controller of your shoppers' data. We keep this page current, we review it at least once every twelve months, and we date every revision so you always know which version applies.
This page describes Arbyn's real, current practices. We do not claim certifications we do not hold, and where a control is in progress rather than complete, we say so. If anything here is unclear, or if you need documentation for your own diligence or your own data protection impact assessment, the Privacy Office contact at the end of this page is a monitored inbox and we will help.
02.Who we are and how to contact us
If you want to reach a human about data protection, write to privacy@arbyn.app, and for anything security related, write to security@arbyn.app. Both inboxes are monitored.
Arbyn is operated by ONDUTYOPS LLC, a limited liability company formed in the State of Delaware in the United States. In this page, "Arbyn", "we", and "us" mean ONDUTYOPS LLC. We operate the Arbyn service at arbyn.app and distribute the Arbyn application through the Shopify App Store. For the personal data where we are the controller, ONDUTYOPS LLC is the controller within the meaning of the GDPR and the UK GDPR. For the personal data where we act on your instructions, ONDUTYOPS LLC is the processor.
Our postal contact for privacy matters is ONDUTYOPS LLC, Attn: Privacy Office. Our primary electronic contact for all data protection questions, rights requests routed through us, Data Processing Addendum requests, and records of processing is privacy@arbyn.app. Because Arbyn interacts with store owners and shoppers exclusively online, an email address is an appropriate and sufficient contact method for data protection requests, and we treat requests sent to privacy@arbyn.app as validly submitted.
We want to be precise about titles, because a loosely used title can create obligations we have not formally taken on. We have established a Privacy Office as the accountable point of contact for data protection. We have not formally appointed a Data Protection Officer under Article 37 of the GDPR, because our processing does not meet the mandatory triggers for a Data Protection Officer. Our core activity is not large-scale, regular, and systematic monitoring of data subjects, and it is not large-scale processing of special category or criminal offence data, since any special category content that reaches Arbyn is incidental rather than a core activity. If that assessment changes, we will formally appoint a Data Protection Officer, publish the contact details, and notify the competent supervisory authority as Article 37(7) requires. Until then, please direct all matters to the Privacy Office at privacy@arbyn.app.
Because ONDUTYOPS LLC is established in the United States and offers services to data subjects in the European Economic Area and the United Kingdom, we are addressing the appointment of representatives under Article 27 of the EU GDPR and Article 27 of the UK GDPR. Where a representative has been appointed, EEA and United Kingdom data subjects may contact that representative in addition to, or instead of, contacting us directly, and we will publish the representative's name and address in the supervisory authority section below and provide the current details on request through privacy@arbyn.app. Until a representative appointment is published, EEA and United Kingdom data subjects can reach us directly at privacy@arbyn.app, and we will not use the absence of a published representative to delay a valid request.
03.Our two roles: controller and processor
The simplest way to understand Arbyn is that you own your shoppers' data and we handle it for you, while we are directly responsible for the small amount of account data we collect about you. Those are two different legal roles, and they carry different responsibilities.
For the personal data of your shoppers that flows through Arbyn, you the store owner are the data controller and Arbyn is the data processor. This covers the content of shopper messages, the orders and records those messages reference, and the technical metadata such as IP address, browser, and locale that we receive when a shopper interacts with your store. It also covers the order, fulfillment, customer, catalogue, inventory, pricing, policy, and Markets configuration data that Arbyn reads from your Shopify store through the access scopes you grant. As the controller, you decide what data is collected, for what purposes, and on what lawful basis. As your processor, Arbyn processes that data only on your documented instructions, which are given through your configuration of the service, the actions you enable, and the Data Processing Addendum. We do not decide the purposes or the means of that processing for our own account, and we do not use it for our own purposes.
For the account data we collect about you when you install and use Arbyn, we are the controller. This is the data that identifies you as our customer and lets us run the commercial relationship: your Shopify store name, the owner email address, your billing account, and the OAuth permission scopes you grant at install. For that data, we determine the purposes and the means, we select and document the lawful basis, and we answer your rights requests directly. The rest of this page distinguishes clearly between the two roles so it is always obvious which one applies.
A consequence of this split is important and we want to be direct about it. As a processor, Arbyn generally must not answer a shopper's rights request about controller data on its own initiative, because doing so would mean acting on your shoppers' data without your authority as the controller. So shopper rights requests are directed to and fulfilled by you, the store owner, with Arbyn assisting you using appropriate technical and organizational measures. Requests about your own account data are handled by Arbyn directly, because there we are the controller. The section on data subject rights below explains this routing in detail.
This dual role is not a way for Arbyn to avoid responsibility. As a processor we carry the direct obligations that the GDPR places on processors, including the security, subprocessor, breach assistance, and deletion duties described below, and we remain fully liable to you for the performance of the subprocessors we engage. Where a law outside the European Union and United Kingdom does not use a clean controller and processor split, such as Canadian and Australian law, we accept direct accountability for the data we hold rather than relying only on the processor characterization, as the global coverage section explains.
04.Our Article 28 processor obligations
When we act as your processor, the GDPR requires a specific set of commitments to be in place between us, and we make them. This section summarizes them, and the full text sits in the Data Processing Addendum.
Arbyn processes shopper personal data only on your documented instructions, including with respect to transfers of that data to a third country, unless we are required to process by a law that applies to us, in which case we will inform you of that legal requirement before processing, unless the law prohibits us from doing so on important grounds of public interest. If we believe an instruction from you infringes the GDPR or the UK GDPR, we will inform you without undue delay. We ensure that the people we authorize to process personal data are bound by an appropriate obligation of confidentiality. We implement the technical and organizational security measures required by Article 32, which are described in the security section below.
We engage subprocessors only under your prior general written authorization, which you give by accepting the Data Processing Addendum and the current list on our Subprocessors page. Before we add or replace a subprocessor, we give you at least thirty days advance notice so you can object, we impose data protection obligations on each subprocessor by contract that are no less protective than those we owe you, and we remain fully liable to you for each subprocessor's performance of its obligations. We assist you, by appropriate technical and organizational measures and insofar as this is possible, in responding to requests from data subjects who wish to exercise their rights. We also assist you in ensuring compliance with the obligations in Articles 32 to 36, which cover security of processing, personal data breach notification, data protection impact assessments, and prior consultation with a supervisory authority, taking into account the nature of the processing and the information available to us.
At the end of the provision of the service, and at your choice, we delete or return all the personal data we process on your behalf and delete existing copies, unless a law that applies to us requires storage of that personal data. In practice, the Shopify deletion lifecycle described below drives this, and the outcome is that your store's data is permanently erased on receipt of the shop/redact request. Finally, we make available to you all the information necessary to demonstrate compliance with the Article 28 obligations, and we allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality and security protections.
These are contractual commitments, not marketing statements, and they are enforceable through the Data Processing Addendum. Where you are carrying out vendor diligence, you can request the Data Processing Addendum, our subprocessor list, our records of processing summary, and a description of our security measures from privacy@arbyn.app, and we will provide what you reasonably need to satisfy your own accountability obligations as a controller.
05.Lawful bases for processing
The short version is that we do not pick the legal reason for processing your shoppers' data, because that is your job as the controller, and we do rely on clear legal bases for the small amount of account data we control ourselves.
For your shoppers' data, Arbyn does not choose or assert its own Article 6 lawful basis. You, as the controller, are responsible for establishing and documenting a lawful basis under Article 6 for the processing of your shoppers' personal data, which for customer support and sales is typically the performance of a contract with the shopper under Article 6(1)(b) or your legitimate interests under Article 6(1)(f). Arbyn processes that data solely on your instructions and does not rely on a basis of its own for it. If your basis for a particular activity is consent, you are responsible for collecting and recording that consent, and Arbyn will act consistently with the consent and opt-out choices your store records for its customers.
For the account data where Arbyn is the controller, we rely on the following lawful bases. We rely on the performance of our contract with you under Article 6(1)(b) to provide, maintain, and support the service and to operate your subscription. We rely on our legitimate interests under Article 6(1)(f) for keeping the service secure, preventing fraud and abuse, understanding how the service is used so we can improve it, and communicating with you as an existing customer about the service. Where we rely on legitimate interests, the specific interests we pursue are running a secure and reliable service, protecting the service and its users from abuse, and improving the quality and reliability of the product, and we have carried out a balancing test that weighs those interests against your rights and freedoms, a summary of which is available on request. We rely on compliance with a legal obligation under Article 6(1)(c) where processing is required by law, for example retaining billing and tax records. We rely on your consent under Article 6(1)(a) for optional activities such as marketing emails and non-essential cookies, and you can withdraw that consent at any time, as easily as you gave it.
We want to correct a common drafting mistake and be clear that Arbyn does not treat itself as the decision-maker for all processing. The lawful basis analysis in this section applies to the account data we control. For the shopper data we merely process on your behalf, the basis is yours to select and document, and our role is limited to acting on your instructions and helping you meet your own obligations.
Because our processing of your account data is grounded in the contract, our legitimate interests, legal obligations, and, for optional activities, your consent, providing the account data needed to run Arbyn is a contractual requirement, and if you do not provide it we will not be able to deliver the service to you. Providing data for optional activities such as marketing is never a condition of using Arbyn, and declining it has no effect on the service you receive.
06.The categories of data we process and where it comes from
Here is exactly what data moves through Arbyn and where it comes from, so there are no surprises. Most of it originates from you and from Shopify rather than directly from the shopper.
As the controller of your account data, we process your Shopify store name, the owner email address, your billing account information, and the OAuth permission scopes you grant during installation. As your processor, we handle the store data that Arbyn reads from your Shopify store through the scopes you grant, which includes order history, line items, fulfillment status, and shipping details, customer records including email address, name, and order association, your product catalogue, inventory, and pricing, and your store policies, shipping zones, and Markets configuration. We also process the support conversations from your connected channels, which are email, chat, and social direct messages. When a shopper interacts with Arbyn through your support channels, we process the content of their messages, basic technical metadata consisting of IP address, browser, and locale, and any order the shopper references.
The categories of data subjects whose personal data we process on your behalf are your shoppers and customers, meaning the individuals who contact your store for support or sales, and the individuals named in your Shopify records such as the recipients on orders. The category of data subject for whom we are the controller is you and the individuals who administer your Arbyn account.
Because much of the shopper data reaches us indirectly, we make the Article 14 source disclosure plainly. We receive shopper personal data and store data from you and from Shopify, not directly from the shopper. The categories we receive in this way are the order and fulfillment records, the customer records, the product catalogue, inventory and pricing, your store policies, your Markets configuration, and the support conversations from your connected channels. The technical metadata associated with a live chat interaction is collected automatically from the shopper's device at the moment of interaction.
We practice data minimization. Arbyn requests only the minimum Shopify API access scopes it needs to operate, the full list of scopes you grant is displayed in the Shopify installation screen, and the scope set is reviewed before every release. We do not request access to protected customer fields we do not use, and we do not retain long-lived duplicate copies of the commerce data that already lives in Shopify, since Arbyn pulls that context live through the Shopify API for the conversation at hand. Retention of the data we do hold is governed by the retention section below and by the Shopify deletion lifecycle.
We do not collect biometric data, and we do not intentionally collect data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning health or a person's sex life or sexual orientation. The one exception is incidental content that a shopper may volunteer in a free-text message, which the next section addresses.
07.Special category data and criminal offence data
In plain terms, we never ask your shoppers for sensitive information, but because support conversations are free text, a shopper might type something sensitive anyway, and we handle that carefully and only as your processor.
Arbyn does not solicit special category data within the meaning of Article 9, such as data about health, racial or ethnic origin, religious or philosophical beliefs, or a person's sex life or sexual orientation. Support and sales conversations are open-ended, so a shopper may occasionally volunteer such information, for example by describing a health reason for a return. Where that happens, Arbyn processes the content only as your processor and only on your instructions, and you, as the controller, are responsible for ensuring that a condition for processing special category data under Article 9(2) applies, and, under United Kingdom law, for maintaining any Appropriate Policy Document that Schedule 1 to the Data Protection Act 2018 requires for certain Article 9 or Article 10 processing.
Criminal offence data within the meaning of Article 10 can also arise incidentally, most often in the context of fraud, chargeback, and dispute handling, where a message or an order note may reference suspected fraudulent activity. As with special category data, Arbyn does not seek this data out, processes it only as your processor on your instructions, and relies on you as the controller to ensure that the processing meets the conditions that Article 10 and the applicable national law require.
Because Arbyn is your processor for this content, we should not be, and are not, the party that obtains any consent or establishes any Article 9 condition for it. Those obligations sit with you as the controller, and the Data Processing Addendum flows them to you. We instruct store owners not to route special category or criminal offence data through Arbyn where it can be avoided, and we design the product to discourage the unnecessary submission of sensitive data. We do not use special category data to infer characteristics about a shopper, and we do not use or disclose it for any purpose other than delivering the service you have instructed us to provide.
If you become aware that a shopper has submitted special category or criminal offence data that you cannot lawfully process, you can delete the relevant conversation from your dashboard, and you can shorten your conversation retention window to reduce how long such content is held. If you need Arbyn's help to locate or remove specific sensitive content in order to meet your own obligations, contact privacy@arbyn.app and we will assist you as your processor.
08.Your data subject rights
Everyone whose personal data Arbyn processes has rights, and this section lists them and, just as importantly, tells you who to ask, because for shopper data the right destination is the store owner, not Arbyn.
Under the GDPR and the UK GDPR, data subjects have the right to be informed about how their data is processed, which is what this page and our Privacy Policy provide. They have the right of access under Article 15, to obtain confirmation of whether their data is being processed and a copy of that data. They have the right to rectification of inaccurate or incomplete data under Article 16, the right to erasure, also known as the right to be forgotten, under Article 17, and the right to restriction of processing under Article 18. They have the right to be notified about rectification, erasure, or restriction under Article 19, the right to data portability under Article 20, meaning a copy of the data they provided in a structured, commonly used, and machine-readable format, and the right to object to processing under Article 21, including an absolute right to object to direct marketing. They have rights in relation to automated individual decision-making and profiling under Article 22, which the automated decision-making section below addresses substantively. They have the right to withdraw consent at any time under Article 7(3) where consent is the basis for a processing activity, and the right to lodge a complaint with a supervisory authority under Article 77.
The routing of these requests matters. If you are a shopper, you should send your access, correction, deletion, or other rights request to the store owner whose store you contacted, because that store owner is the controller of your data and decides how requests are handled. Arbyn, as the processor, cannot lawfully act on your data without the store owner's authority, but Arbyn will assist the store owner in responding. In practice, a store owner can action most requests directly, because much of the underlying data lives in Shopify, and the Shopify deletion webhooks described below provide a built-in mechanism for access and deletion that Arbyn honors automatically.
If you are a store owner, you can exercise your own rights over your account data directly with Arbyn, and you can also forward or escalate a shopper's request to us so that we assist you. You can action most shopper requests yourself from the Arbyn dashboard, for example by shortening conversation retention, requesting earlier deletion, or triggering a Shopify customer redaction, and where you need Arbyn to compile or delete data that only Arbyn holds, you can email privacy@arbyn.app.
We do not discriminate against anyone for exercising a right. Exercising a data protection right does not change the service a store owner receives or the way a shopper is treated. The one situation where we must limit action is where fulfilling a request would require us to act on controller data without the controller's authority, in which case we route the request to the correct controller rather than ignore it.
09.How to exercise your rights and our response times
To make a request, email privacy@arbyn.app if it concerns account data we control or if you are a store owner forwarding a shopper request, and if you are a shopper, contact the store you dealt with. We will confirm your identity before acting, and we will respond within the statutory timeframe.
For requests where Arbyn is the controller or is assisting the controller, we respond without undue delay and in any event within one month of receiving the request, in line with Article 12(3). Where a request is complex or where we have received a number of requests, we may extend that period by up to two further months, and we will inform the person of the extension and the reasons for it within one month of receiving the request. There is no fee for a request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee based on administrative costs or refuse to act, and we will explain our reasoning if we do.
We verify identity before we disclose or delete personal data, so that we do not act on a fraudulent or mistaken request. The verification we ask for is proportionate to the sensitivity of the data and the nature of the request, and we ask only for information reasonably necessary to confirm that the requester is the person whose data is at issue, or that person's authorized agent. A person may use an authorized agent to make a request on their behalf, and where an agent submits a request, we may require written proof of the agent's authority and confirmation of the underlying person's identity before we act.
Because Arbyn is a processor for shopper data, our fastest and most reliable channel for shopper access and deletion is the Shopify deletion lifecycle, which the next section describes. When a store owner uses that mechanism, Arbyn responds automatically and within the timeframes Shopify requires, without the shopper needing to correspond with Arbyn at all. For everything that falls outside that mechanism, privacy@arbyn.app is the route, and we treat requests to that inbox as validly submitted from the moment they arrive.
If we decline a request, we will tell the person why and inform them of their right to lodge a complaint with a supervisory authority and to seek a judicial remedy. For requests routed to a store owner as controller, the store owner is responsible for communicating the outcome, and Arbyn will support the store owner in providing the information the law requires.
10.Automated decision-making and AI-generated replies
Because Arbyn is an AI agent, we address automated decisions directly rather than burying them in a list. Arbyn drafts and can send replies, and it can carry out store actions you authorize, and you control how much of that happens without a human in the loop.
Arbyn uses AI to read incoming messages, draft replies in your store's voice, and, where you enable it, take actions such as refunds, cancellations, address changes, and returns. The logic is that the model analyzes the shopper's message together with the live Shopify context for the relevant order and your store policies, and then produces a reply or a proposed action that fits your configured rules. The significance for a shopper is that a response or an action affecting their order can be generated quickly and, depending on your settings, automatically. You control the level of autonomy through confidence thresholds, escalation rules, refund ceilings, and per-action toggles, and you can require human review before any category of action is taken.
Where a decision would be based solely on automated processing and would produce a legal effect on a shopper or similarly significantly affect them, the Article 22 safeguards apply. In those cases a human can review the decision, intervene on it, and reverse it, and a shopper can ask the store owner for human review, express their point of view, and contest the decision. Because you as the store owner configure and control Arbyn's autonomy, you are responsible for setting the level of human involvement that is appropriate for your store and for the decisions Arbyn is permitted to make on your behalf, and Arbyn provides the controls that make meaningful human involvement possible, including the ability to pause every channel instantly.
Every action Arbyn takes on your store is logged where you already look. A refund, cancellation, address change, discount, or reply writes to the Shopify order timeline, so there are no invisible automated actions and you retain a clear audit trail for oversight and for responding to a shopper who contests a decision. This visibility is part of how we make the human-in-the-loop model real rather than theoretical.
We disclose the existence of this automated processing, the general logic involved, and its significance and consequences here so that you can pass the relevant information to your shoppers as their controller, and so that shoppers understand that they can seek human review of a decision that significantly affects them. If your configuration means that no decision is taken solely by automated means, because a human reviews outputs before they are sent or actioned, then Article 22 in its strict form may not be engaged, but the transparency and control described here still apply.
11.Consent and how to withdraw it
Where we rely on your consent, you can take it back at any time, and doing so is as easy as giving it. Withdrawing consent does not affect processing that already happened while your consent was valid.
For the account data we control, we rely on consent only for optional activities, principally marketing communications and non-essential cookies on our website. You can withdraw consent to marketing at any time by using the unsubscribe link in any marketing email or by contacting privacy@arbyn.app, and you can change your cookie choices at any time through the cookie controls on our website. When you withdraw consent, we stop the relevant processing promptly, and the withdrawal does not affect the lawfulness of processing carried out before you withdrew.
For your shoppers' data, consent, where it is the basis, is a matter between you as the controller and your shopper. Arbyn does not obtain consent from your shoppers on its own behalf, and it acts consistently with the consent and opt-out choices your store records for its customers. If your store records that a shopper has opted out of a particular kind of processing, you remain responsible for ensuring that your instructions to Arbyn reflect that choice.
We do not use pre-ticked boxes, and we do not bundle consent for optional activities into acceptance of the service. Consent, where we rely on it, is freely given, specific, informed, and unambiguous, and refusing or withdrawing it does not degrade the core service. We also do not use design patterns that push you toward accepting more processing than you intend, and our reject option for non-essential cookies is as easy to use as our accept option.
If you ever believe we are relying on consent for something that should have a different basis, or that we have not honored a withdrawal, tell us at privacy@arbyn.app and we will correct it.
12.International data transfers and the safeguards we rely on
Arbyn is hosted in the United States, so if you or your shoppers are in Europe, personal data is transferred to and processed in the United States, and we put recognized safeguards in place for those transfers. We do not claim that the United States provides an adequate level of protection under European law, and we rely on contractual and technical safeguards instead.
Arbyn's application and data are hosted on Render in the United States, our LLM inference runs on Deep Infra in the United States under a zero-retention, no-training arrangement, our transactional email is sent through Resend and Postmark in the United States, and Cloudflare provides our content delivery and security across a global edge network. Two of our subprocessors, Shopify and Shopify Billing, are provided by a Canadian company. This means that transfers of European personal data to Arbyn and onward to these subprocessors are transfers to third countries that require a valid transfer mechanism.
For transfers of EEA personal data, we rely on the European Commission's Standard Contractual Clauses under Implementing Decision (EU) 2021/914, using the controller-to-processor module for the transfer from you as the EEA store owner to Arbyn, and the processor-to-processor module for onward transfers from Arbyn to our subprocessors. Where a subprocessor is certified under the EU-US Data Privacy Framework, we may also rely on that adequacy decision for the transfer to that subprocessor, while keeping the Standard Contractual Clauses in place as a fallback. For transfers of United Kingdom personal data, we rely on the United Kingdom International Data Transfer Agreement or the United Kingdom Addendum to the EU Standard Contractual Clauses, and, where the importer is certified, the United Kingdom Extension to the EU-US Data Privacy Framework. For transfers of Swiss personal data, we rely on the Swiss version of the Standard Contractual Clauses or, where available and applicable, the Swiss-US Data Privacy Framework.
Because adequacy frameworks can be challenged and change, we do not depend on them alone. We carry out a transfer risk assessment in the spirit of the Schrems II decision, we keep the Standard Contractual Clauses and the United Kingdom transfer tools in place as the durable safeguard even where a Data Privacy Framework certification also exists, and we apply supplementary technical measures, principally encryption of personal data in transit and at rest. Not every subprocessor is certified under a Data Privacy Framework, so for those subprocessors the transfer rides on the Standard Contractual Clauses supported by our transfer risk assessment rather than on adequacy.
A copy of the safeguards that apply to a particular transfer, including the relevant Standard Contractual Clauses module and any supplementary measures, is available to store owners on request through privacy@arbyn.app. These transfer commitments are also incorporated into the Data Processing Addendum, which is the binding record of the transfer mechanisms we rely on.
13.Subprocessors and your right to object
We use a small, named set of third parties to run Arbyn, we list every one of them publicly, and we tell you before we add a new one so you have a chance to object. The full and current list is the source of truth, and it always matches what we describe here.
Our current subprocessors, as published on our Subprocessors page, are Render, which provides application hosting, database, and background workers in the United States and processes Arbyn application data at rest and in transit, Deep Infra, which provides LLM inference in the United States under a zero-retention, no-training arrangement and processes customer message text and order context as inference inputs, Shopify, provided by Shopify Inc. in Canada, which is the source of your order, customer, catalogue, and policy data that Arbyn reads through the Shopify API, and Shopify Billing, also via Shopify in Canada, through which all Arbyn subscription charges run inside your Shopify admin so that no card details ever reach Arbyn. The remaining subprocessors are Resend, which sends store-owner-facing transactional email in the United States, Postmark, whose legal entity is ActiveCampaign LLC in the United States, which sends forwarding and escalation email routed to store owner inboxes, and Cloudflare, which provides DNS, content delivery, and DDoS protection across a global edge from the United States. This is a total of seven subprocessors, which is the count published on the Subprocessors page.
Each subprocessor is engaged under a written contract that binds it to process data only on Arbyn's instructions and to protect the data to a standard no less protective than the standard we owe you, and we remain fully liable to you for each subprocessor's performance. You give general written authorization for us to engage these subprocessors when you accept the Data Processing Addendum and the current list on the Subprocessors page.
Before we add or replace a subprocessor, we give at least thirty days advance notice. We email the store owners who are on the subprocessor change notice list and we update the Subprocessors page. You may object to a new subprocessor in writing during the notice period. If we cannot resolve your objection, you may terminate, and on termination your data is deleted within thirty days, retaining only the minimum logs required for audit purposes. You can subscribe to change notices, or raise an objection, by writing to privacy@arbyn.app.
The Subprocessors page at arbyn.app/subprocessors is the authoritative, versioned list, and where anything here and that page appear to differ, that page controls and we will bring this page into line. We keep the two in sync deliberately, and we link to the Subprocessors page so that you can audit each vendor directly through the DPA or trust link we publish for it.
14.The Shopify mandated data lifecycle and deletion timelines
Because Arbyn is a Shopify app, Shopify enforces a set of privacy webhooks that govern shopper data requests and deletion, and we implement all three exactly as Shopify requires. This gives you and your shoppers a reliable, automatic route to access and deletion that does not depend on email.
When a shopper asks a store owner for a copy of their data, Shopify sends Arbyn a customers/data_request webhook. On receiving it, Arbyn compiles everything it holds for that shopper and returns it to the store owner within the thirty days Shopify requires, formatted for portability, so the store owner can provide it to the shopper. When a store owner requests deletion of an individual customer's data, Shopify sends Arbyn a customers/redact webhook, and Arbyn permanently deletes all data it holds for that shopper within the thirty days Shopify requires, measured from when Shopify sends the request. Shopify may delay sending this request where the customer placed an order in the last six months, so the clock runs from the request rather than from the moment the store owner clicks delete. This deletion overrides the default conversation retention window described in the next section.
When you uninstall Arbyn, Shopify sends a shop/redact webhook forty-eight hours after the uninstall. On receiving that request, Arbyn permanently erases all data it holds for your store, and always within the thirty-day window Shopify allows. We want to be precise, because it is easy to state this incorrectly: the deletion is triggered by the shop/redact request that arrives forty-eight hours after uninstall, not instantly on uninstall, and Shopify's mandated deadline for completing deletion is thirty days. Our own target is to complete erasure promptly on receipt of the request, and in normal operation well within the Shopify window, but we describe the guaranteed obligation as erasure on receipt of the request and in any event within the thirty-day Shopify window, so that the commitment is accurate.
Deletion under these webhooks is permanent, with no soft-delete recovery window, and we verify the authenticity of every Shopify compliance webhook by checking its HMAC signature and rejecting any request that fails verification, so that no one can trigger a spurious data request or deletion. Where we are legally required to retain specific data, for example a billing record required by tax law, we retain only that specific data for only as long as the law requires, and we delete the remainder.
These webhooks are the fastest and most reliable way for your shoppers to obtain access and deletion, because they operate automatically and within fixed timeframes. They also implement, in practice, much of the erasure and portability rights described earlier in this page, and they are enforced by Shopify rather than left to our discretion.
15.Data retention
We keep personal data only for as long as we actually need it, and we tell you the specific periods rather than hiding behind a vague phrase. Different categories have different retention rules, and you can shorten some of them yourself.
Account data, where Arbyn is the controller, is retained for as long as your Arbyn account is active, and it is deleted when the account is closed, subject to any minimum retention that law requires for records such as billing and tax. The entire store's data that Arbyn holds as your processor is permanently deleted on receipt of the shop/redact request that Shopify sends forty-eight hours after you uninstall, and always within the thirty-day Shopify window, as the lifecycle section explains. An individual shopper's data is permanently deleted within thirty days of the customers/redact request, measured from when Shopify sends it.
Conversation history is retained for twenty-four months by default, so that Arbyn can learn from your store's past replies and maintain quality over time. This twenty-four month period is Arbyn's own default, not a Shopify requirement, and because we act only on your instructions as the controller, you can shorten this window or request earlier deletion of specific conversations from your dashboard at any time. If you shorten the window, we apply the shorter period going forward, and a Shopify deletion webhook overrides the window entirely.
Backups and operational logs are retained on a defined, limited cycle and are purged in the ordinary course, and where a deletion request is fulfilled, residual copies in backups age out under that cycle rather than persisting indefinitely. Audit logs that we are required to keep for security or legal reasons are retained only to the minimum extent necessary. We do not retain personal data for longer than is reasonably necessary and proportionate to the purposes for which it is processed, and we practice data minimization by pulling live commerce context from Shopify for a conversation rather than warehousing long-lived duplicates.
If you need a specific retention period for a category not listed here, or documentation of our retention practices for your own data protection impact assessment, contact privacy@arbyn.app and we will provide it. Our retention practices are also reflected in the Data Processing Addendum, which governs deletion and return of data on termination.
16.Security measures
Protecting your data is a baseline obligation, not a feature, and we describe our actual measures honestly, including what is in progress rather than complete. We do not claim that any service is perfectly secure, because no service can be, and we do not claim certifications we do not hold.
We implement technical and organizational measures appropriate to the risk, as Article 32 requires. Personal data is encrypted in transit using TLS 1.2 or higher, in practice TLS 1.3 across our requests, and encrypted at rest using AES-256 on the database. API tokens are stored encrypted with rotating keys. Access to production systems is governed by role-based, least-privilege access controls, only the team members who need production access have it, access requires justification and is logged, and every action Arbyn takes on a store writes to the Shopify order timeline so that there is a complete and visible audit trail. Backups are encrypted, production and test data are kept separate, and we maintain a documented security incident response process. Our LLM inference runs under a zero-retention, no-training arrangement with Deep Infra, so the message content and order context sent for inference are not retained by the model provider and are not used to train any model.
Our infrastructure runs on Render, which carries SOC 2 Type 2 and ISO 27001 at the infrastructure layer, undergoes annual third-party penetration testing, and publishes a GDPR Data Processing Addendum. We inherit that infrastructure posture for the layer we do not control, and our subprocessors' certifications are their own, which we monitor and keep current. As for Arbyn's own certification posture, our SOC 2 Type 2 audit is in progress, with expected completion in the first quarter of 2027, and we will not imply that Arbyn itself already holds SOC 2 or ISO 27001 until it does.
We treat our public statements about security as promises that must be true, and we keep them accurate as our practices and our subprocessors' certifications change. We do not describe data as fully anonymized when it is not, and we do not claim that the service is immune to compromise. If a control described here changes, we update this page and our security page.
Because Arbyn accesses protected customer fields such as name, email, and shipping address, we meet the higher tier of Shopify's Protected Customer Data requirements, which include encrypting backups, separating test and production data, restricting and logging staff access to protected customer data, maintaining a data loss prevention posture, and operating a security incident response process. The security measures we publish match what we declare to Shopify, because an inconsistency between the two would itself be a compliance problem.
You control an important part of security yourself. You set refund ceilings and action toggles, you can require human review, and a one-click kill switch pauses every channel instantly, so you can constrain what Arbyn is able to do with your data and your store at any time.
17.Personal data breach notification
If personal data is ever breached, we tell the right party quickly, and the exact obligation depends on whether we are your processor or the controller. We are careful not to overstate what we do, because the seventy-two hour clock has a specific legal owner.
Where Arbyn acts as your processor and we become aware of a personal data breach affecting your shoppers' data, our legal duty under Article 33(2) is to notify you, the controller, without undue delay. We do that so that you can meet your own obligation under Article 33(1) to notify the competent supervisory authority within seventy-two hours where the breach is likely to result in a risk to individuals, and to notify affected individuals under Article 34 where the risk is high. We do not notify a supervisory authority on your behalf for shopper data, because that duty is yours as the controller, and we do not imply otherwise.
As a matter of contract and practice, we commit to notify you promptly and, as our security page states, within seventy-two hours of becoming aware of an incident affecting your data, even though our strict legal standard as a processor is without undue delay. That notification will describe the nature of the breach, the categories and approximate number of data records and data subjects affected, the likely consequences, and the measures we have taken or propose to take to address it and to mitigate its effects. This gives you what you need to make your own notification decisions on time.
Where Arbyn is the controller, which is the case for your account data, we carry the seventy-two hour duty ourselves. In that situation, we will notify the competent supervisory authority within seventy-two hours of becoming aware of a breach that is likely to result in a risk to individuals, and we will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
We do not hide incidents. Any security incident affecting your data is disclosed within seventy-two hours of detection, by email, with the full scope and the remediation, and we treat that regulatory floor as our ceiling. The breach assistance we provide as a processor is also part of our Article 28 commitments, so that you can rely on our cooperation when you are meeting your own obligations under Articles 33 and 34.
18.Records of processing and documentation available on request
We keep the records the law requires and we make the documentation you need for your own compliance available on request. As a processor operating continuously rather than occasionally, we do not rely on the small-organization exemption from record keeping.
Arbyn maintains records of its processing activities under Article 30(2), which describe the categories of processing carried out on behalf of each controller, the transfers of personal data to third countries and the safeguards for them, and a general description of the technical and organizational security measures we apply. We keep these records current as our processing and our subprocessors change, and we can provide a summary to you to support your own record keeping.
We also support your accountability obligations. We assist you, as your processor, in carrying out data protection impact assessments under Article 35 and in any prior consultation with a supervisory authority under Article 36, by providing the information about our processing, security measures, and subprocessors that you reasonably need. If you are assessing the deployment of an AI support agent and need input on the automated decision-making, the data flows, or the transfer mechanisms, contact privacy@arbyn.app and we will help.
A range of documentation is available on request to store owners, including the Data Processing Addendum, the applicable Standard Contractual Clauses and United Kingdom transfer tools, our subprocessor list and the individual subprocessor agreements' data protection terms in summary form, our description of technical and organizational security measures, and a summary of our records of processing. The Subprocessors page provides the authoritative subprocessor list without needing to ask, and privacy@arbyn.app is the route for the rest.
These records and this documentation exist so that you can demonstrate your own compliance and so that we can demonstrate ours. We make available all the information necessary to show compliance with our Article 28 obligations, and we allow for and contribute to audits and inspections that you or your mandated auditor conduct, subject to reasonable confidentiality and security protections.
20.Global coverage beyond the EU and UK
Wherever you or your shoppers live, we aim to honor the core privacy rights that local law provides, and this section names a few key regimes and the regulators you can turn to. Arbyn stores and processes personal data primarily in the United States, with two subprocessors provided by a Canadian company, so by using Arbyn a shopper's personal data may be transferred to, stored in, and accessed from countries outside their own, including the United States and Canada.
In Canada, Arbyn's practices are informed by the Personal Information Protection and Electronic Documents Act, and, for Quebec residents, by Quebec's Law 25, which adds obligations such as data portability, notice of decisions based exclusively on automated processing with a right to submit observations, and a privacy assessment before certain cross-border transfers. We remain accountable for personal information transferred to our subprocessors, we use written data processing agreements and technical measures to require a comparable level of protection, and we give the foreign-access notice that Canadian guidance expects, which is that when personal information is handled by a service provider in another country, including the United States, it may be accessible to the courts, regulators, law enforcement, and national security authorities of that country under that country's laws. Canadian individuals may contact the Office of the Privacy Commissioner of Canada, and Quebec residents may contact the Commission d'acces a l'information du Quebec.
In Australia, our practices are informed by the Privacy Act 1988 and the Australian Privacy Principles. We are likely to disclose personal information to overseas recipients located in the United States and Canada, and we take reasonable steps to ensure those recipients handle the information consistently with the Australian Privacy Principles. Australian individuals can request access to and correction of the personal information we hold, can opt out of direct marketing, and can complain to Arbyn first and then to the Office of the Australian Information Commissioner. Because Australian law does not use a strict controller and processor split, we accept direct accountability for the data we hold about Australian individuals rather than relying only on a processor characterization. In Brazil, our practices are informed by the Lei Geral de Protecao de Dados, under which we act as store owner on the documented instructions of the store owner as controller for shopper data, and as controller for account data. International transfers of the data of individuals in Brazil are carried out under a mechanism recognized in Chapter V of the LGPD, such as the Brazilian Standard Contractual Clauses or equivalent contractual safeguards, and we do not claim that the United States is an adequate country. Brazilian individuals have the rights set out in Article 18 of the LGPD, including confirmation of processing, access, correction, anonymization or deletion, portability, and information about sharing, and they may petition the Autoridade Nacional de Protecao de Dados.
For shoppers elsewhere, we aim to honor the core rights of access, correction or rectification, deletion or erasure, objection or opt-out, restriction, and portability to the extent the applicable local law provides, and we recognize comparable frameworks such as the Swiss revised Federal Act on Data Protection, the New Zealand Privacy Act 2020, South Africa's POPIA, Japan's APPI, South Korea's PIPA, Singapore's PDPA, and other national laws where Arbyn operates. We respond to rights requests without undue delay and, where a shorter statutory deadline applies, within that shorter period, and our deletion and retention commitments apply globally, meaning entire store data is permanently erased on receipt of the shop/redact request after uninstall and within the Shopify window, individual customer data is deleted within thirty days of a customers/redact request, and conversation history is retained for twenty-four months by default and is shortenable by the store owner.
Across all of these regimes, the routing principle is the same as under the GDPR. Shoppers should send access, correction, and deletion requests to the store whose support channel they used, because that store owner is the controller, Arbyn will assist that store owner, and Arbyn will act directly where it is the controller of the data or where local law places the obligation directly on Arbyn. Our data is not sold, it is not used to train models for other store owners, and our LLM inference runs under a zero-retention, no-training arrangement, and those commitments hold no matter where a shopper is located.
21.The Data Processing Addendum
If you need a signed data processing agreement for your files, we already have one, it is pre-signed, and it takes effect when you install Arbyn. This is the binding legal home for the processor commitments summarized on this page.
We make a Data Processing Addendum available to every store owner. It meets the requirements of Article 28 of the GDPR and the UK GDPR, it reflects Arbyn's role as your processor, it lists our subprocessors and incorporates the subprocessor change notice mechanism, and it incorporates the applicable EU Standard Contractual Clauses and the United Kingdom International Data Transfer Addendum for cross-border transfers, with the Swiss addendum where you serve Switzerland. The Data Processing Addendum is pre-signed and takes effect on installation for store owners in the European Economic Area, the United Kingdom, and Switzerland, and it is available to store owners in other regions on request.
The Data Processing Addendum contains the detailed contract terms that this page only summarizes, including the full text of the Article 28(3) processor undertakings, the subprocessor authorization and objection process, the audit and information rights, the security schedule, the deletion and return terms that apply on termination, and the incorporated transfer clauses. Where this page and the Data Processing Addendum both describe a commitment, the Data Processing Addendum controls, because it is the operative contract between you and us.
You can request a countersigned copy of the Data Processing Addendum, or a copy of the incorporated Standard Contractual Clauses and United Kingdom transfer tools, by writing to privacy@arbyn.app. If your legal team needs to review the transfer mechanisms, the subprocessor list, or the security schedule before installation, we can provide those documents in advance.
Keeping the detailed processor terms in the Data Processing Addendum, rather than restating all of them on this public page, is deliberate. It lets this page stay readable while ensuring that the binding commitments live in a single, controlled document that we can maintain and that you can rely on for your own diligence.
22.Changes to this page
We keep this page current and we date every version, so you can always tell what applies and when it changed. We do not make material, less protective changes to how we handle data you already gave us without telling you and, where required, obtaining your agreement.
We review this page at least once every twelve months and whenever our practices, our subprocessors, or the applicable law change in a way that affects it. Each revision carries a clearly displayed last-updated date, and material changes are notified in advance rather than applied silently. For store owners, we provide advance notice of material changes, and continued use of Arbyn after the effective date of a change means the updated page applies to processing going forward.
We will not apply materially different, less protective terms to personal data we already hold without an appropriate legal basis, and where the law requires your affirmative agreement to a retroactive material change, we will seek it rather than rely on mere posting. This reflects both our commitment to you and the principle that a privacy promise, once made, must be honored for the data collected under it.
Where a change affects the subprocessors we use, the subprocessor change notice process applies, meaning at least thirty days advance notice, the ability to object, and the right to terminate with deletion of your data if we cannot resolve your objection. Where a change affects the Data Processing Addendum, we will make the updated version available and, for material changes, notify affected store owners.
If you want to be notified of changes, subscribe to our subprocessor change notices or contact privacy@arbyn.app, and we will make sure you receive advance notice of material updates that affect you.
23.Contact us
If you have any question, request, or complaint about data protection, here is how to reach us, and both inboxes below are monitored by real people. For privacy questions, rights requests routed through us, Data Processing Addendum requests, and records of processing, write to privacy@arbyn.app. For anything security related, including vulnerability reports and security questionnaires, write to security@arbyn.app.
Our postal contact for data protection is ONDUTYOPS LLC, Attn: Privacy Office. Arbyn is operated by ONDUTYOPS LLC, a Delaware limited liability company, and the Privacy Office is the accountable point of contact for data protection matters. We are not required to, and have not, formally appointed a Data Protection Officer under Article 37, and we use the Privacy Office title rather than a Data Protection Officer title to avoid representing an appointment we have not made. If that position changes, we will publish the Data Protection Officer's contact details and notify the competent supervisory authority.
If you are a shopper, remember that the store owner whose store you contacted is the controller of your data, so the fastest route for an access, correction, or deletion request about your shopper data is to contact that store directly. The store owner can act on your request, including by using the Shopify deletion mechanism that Arbyn honors automatically, and can escalate to Arbyn where our assistance is needed. If you are a store owner, you can reach us directly about your own account data and about assisting with your shoppers' requests.
For international matters, EEA and United Kingdom data subjects can use the representative and supervisory authority routes described above, and individuals in Canada, Australia, Brazil, and elsewhere can use the regulator contacts named in the global coverage section. In every case, we would welcome the chance to resolve your concern first, and privacy@arbyn.app is the place to start.
We aim to reply to security and data protection contacts promptly, and for security questions and access requests we target a substantive reply within one business day, while formal rights requests are answered within the statutory timeframes set out earlier in this page. This page should be read together with our Privacy Policy, our Subprocessors page, our Security page, and our Terms of Service, which together describe how Arbyn handles data and the commitments we make to you.