Approosters & Merchant agreement

Last updated: 11th of June 2024.


This is an agreement between these two parties:

1. Merchant - You, as a Shopify merchant, who uses Approosters' Shopify Apps (later "App") in their Shopify stores (later, in Terms of service, the "merchant")

2. Approosters - the provider of Shopify Apps

(Company name: Approosters Oy, VAT ID FI29832409)

The agreement consists of two parts:

1. Terms of service (Terms)

2. Data Processing Agreement (DPA)

together, the "Agreement".

By using the Apps developed by Approosters, you comply with this agreement.

1. Terms of service

Shipping carriers

The merchant is responsible of his/her agremeents with the shipping carriers that he/she uses with Apps developed by Approosters.

Shipping fees and other charges

The merchant is responsible of setting up and monitoring the shipping charges he/she charges from their customers using the App. The merchant is responsible of all the shipping fees and other charges charged by the shipping service provider of the merchant's shipments done with the App.

Selling, providing or shipping of illegal products

The merchant is responsible of following the laws of the countries he/she ships products from and to. Approosters is not responsible of any illegal activities, such as shipping illegal products, or any other similar illegal activity done with the help of the App.

Responsibilities of shipping fees and customs declaration

Approosters is not responsible of any fees caused by the use of the App, such as shipping services, customs declaration or other services by shipping carriers and such parties. The merchant needs to know which customs declaration documents he/she needs for shipments. Approosters is not responsible for any extra fees caused by missing documents or other information in shipments.

2. Data Processing Addendum

We value your and your customer's privacy

The app developed and provided by Approosters ("the App”) provides features such as order processing, shipping integrations with many shipping carriers and the ability for Shopify merchants to fulfill and ship orders to merchants who use Shopify to power their stores ("the Service”). This Data Processing Agreement (“DPA”) is attached to and supplements the Agreement between the Approosters (“Processor”) and Merchant (”Controller”). This DPA sets out the terms and conditions for the processing of Personal Data by the Processor on behalf of Controller. In this DPA Controller's data is referred as ”Merchant data” and Controller's Shopify store's customer data as ”Customer data”. ’Personal Data” means any information relating to an identified or identifiable natural person as defined in Data Protection Laws, which the Processor has received from the Controller before or after the effective date of this DPA.

Rights and responsibilities of the Controller

The Controller shall:

  • a) process the Personal Data in compliance with the Data Protection Laws and good data processin practice;
  • b) give documented and binding instructions to the Processor on the processing of Personal Data;
  • c) at all times retain the control and authority to the Personal Data; and
  • d) at all times retain title and intellectual property rights and other rights to Personal Data.

General obligations of the Processor

The Processor shall

  • a) process the Personal Data in compliance with the Data Protection Laws and good data processing practice
  • b) use Personal Data only for the purposes specified in the Agreement and this DPA and for no other purpose;
  • c) process the Personal Data only on documented instructions from the Controller which may be given throughout the processing, unless processing is required by Law to which the Processor is subject to, whereby Processor shall inform the Controller about such legal requirement before the processing unless the law prohibits this on important grounds of public interest. Processor must inform the Controller if the instructions infringe the Data Protection Laws;
  • d) provide at its own cost adequate data protection training to the employees and ensure that it shall authorize the employees to process Personal Data only to the extent that is strictly necessary for the fulfilment of the Agreement and that everyone authorized to process Personal Data is competent and under a confidentiality obligation;
  • e) assist at its own cost the Controller by appropriate technical and organizational measures in the Controller's obligation to respond to data subject’s requests, and assist the Controller in the Controller’s obligation to carry out data protection impact assessments and consultations to the supervisory authority; and
  • f) assist and provide without delay at its own cost the Controller with all information necessary to demonstrate compliance with the relevant law and this DPA at its own cost.


Personal data the App Collects

When Controller installs the App, Processor is automatically able to access certain types of information from Controller's Shopify account as Merchant data: to read products, to read and write orders, to add shipping information to orders and also the email address and address details of Controller's Shopify store. Processor collects Merchant data directly from the relevant individual, through Controller's Shopify store, or using the following technologies: “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps. “Web beacons,” “tags,” and “pixels” are electronic files used to record information about how you browse the App.

The App also collects necessary Customer data from Controller's Shopify store in order to function properly. This data is only stored for a period of time it is needed to process the order fulfillments and possible returns with the App. This period is 60 days and after that the data is deleted. This customer data includes order information, customer contact details and address information.

How Processor uses Merchant Data?

Processor uses Merchant data to provide the Service and to operate the App. Additionally, Processor uses this personal information to: Communicate with Controller; Optimize or improve the App; and Provide Controller with information or advertising relating to Processor's products or services.

How Processor uses Customer Data?

Processor uses Customer data to make the App usable and to improve the usability of the App for different kind of shipping and fulfillment configurations. The Customer data is needed to create the necessary shipping labels for orders and shipping configurations to Controller's Shopify checkout. Processor doesn't store Customer data longer than needed for the App to function properly.

Sharing Merchant data

Processor shares merchants email address with Klaviyo, the email newsletter provider, of which Processor uses to send important information regarding the App. Controller can always unsubscribe from the email list, and Controller's email information will be removed from Klaviyo. Klaviyo's privacy policy is here: https://

Finally, Processor may also share Controller's Personal data to comply with applicable laws and regulations, Processor transfers personal data to outside the European Union and the European Economic Area in order to provide agreed service to Controller. Processor shall ensure that such transfers outside the EU are compliant with the Data Protection Laws, this DPA and the Controller's instructions,

Sharing Customer data

Processor shares Customer data only if the Controller using the App uses Processor's integrations to connect data to third-party services, e.g. to shipping providers to print shipping labels or printing services to automatically print order data.

Limited access to Merchant and Customer data

Processor limits the access to Merchant and Customer data by Processor's personnel so that only the limited individuals working with Approosters has access to the data, and all the individuals who work for Approosters have signed a strict non-disclosure agreement not to share or collect the data other than the parts mentioned in this DPA.

Processor also limit the access to any Merchant or Customer data with strong passwords and two-factor authentications.

Data loss prevention strategy and data security

Processor has a data loss prevention strategy to help keeping Controller's data safe. This strategy includes technical controls, policies and standards to protect personal data. The Processor shall implement technical and organizational measures to protect Personal Data against unlawful or unauthorized processing and against accidental loss, destruction, damage, alteration or disclosure. The Processor's aforementioned security measures shall at all times meet or exceed the (i) requirements of any applicable Data Protection Regulation; and (ii) security measures then prevalent in the Processor's industry to which the processing of Personal Data relates to. The Processor shall take into account the appropriate level of security, state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects. The Processor shall, inter alia, as appropriate:

  • a) regularly test, assess and evaluate the effectiveness of technical and organizational measures to ensure the security of the processing;
  • b)  create back-up facilities to restore Personal Data in the event of a data breach;
  • c)  to the extent possible, pseudonymize and encrypt the Personal Data it processes;
  • d)  ensure at all times the confidentiality, integrity, availability and resilience of systems and services processing Personal Data.

The Processor shall apply specific restrictions and additional safeguards if the processing involves personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying Data Subject, or data relating to criminal convictions and offences.

Security incident response policy

If Processor notices any data breach or security incidence regarding chances of any personal information ending up in wrong hands, Processor notifies the affected merchants and takes instant actions on protecting the data and fixing the possible vulnerabilities.

Data retention

When Controller installs the App, Processor will maintain Controller's contact information (Merchant data) for Processor's records unless and until Controller asks to delete this information. Customer data collected by the App is kept safe only for 60 days until it will be deleted. If the App needs to access customer data after that (e.g. you need to print returns label for an old shipment using the App), the data is re-acquired and stored for another 60 days, until it will be deleted.

Processor may update this DPA from time to time in order to reflect, for example, changes to Processor's practices or for other operational, legal or regulatory reasons.

Auditing process

At any time during the term of the DPA, the Controller and/or a recognized, independent third party auditor appointed by the Controller shall have the right to perform audits and inspections on the Processor’s compliance with the DPA and the required technical and organizational security measures. The Controller shall give written notice to the Processor at least fourteen (14) days prior to any audit. Notwithstanding anything to the contrary agreed elsewhere in the Agreement, the Controller may perform an audit without prior notice if the Controller has a justified reason to suspect that the Processor is in significant breach of this DPA or Data Protection Laws.

The Processor shall assist the Controller in the execution of the audit. If an audit request comes from a Supervisory Authority, the Processor shall assist the Controller in answering the request and organizing the audit. Each Party shall bear its own costs regarding an audit.

The audit right described shall also cover any subcontractors of the Data Processor.


Unless otherwise agreed in writing, the Processor is entitled to use subcontractors only with the Controller’s prior specific written consent. The Processor shall submit the request for specific authorisation at least one (1) month prior to the engagement of the subcontractor in question, together with the information necessary to enable the controller to decide on the authorisation. If consented by the Controller, Processor is obliged to

  • a) make a written agreement with each subcontractor which shall impose the same data protection obligations to the subcontractor as the ones imposed on the Processor in accordance with this Agreement.
  • b) ensure that the subcontractors are properly experienced and qualified, and that they comply with this DPA.
  • c) regularly monitor the performance of its subcontractors and notify the Controller of any failure by the subcontractor to fulfil its contractual obligations.
  • d) upon Controllers request, and in such case, included as an Annex to this Agreement, provide the Controller with a list of all current subcontractors and processing locations of Personal Data, as well as information on the substance of the contract related to the data protection and security obligations within the subcontract relationship.

The Processor shall ensure the lawfulness of its subcontractors processing Personal Data. The Processor remains fully liable for the acts and omissions of its subcontractors.

Changes to the Agreement

We may update this Agreement from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons. Changes will be prompted inside the App and the last modified date of the Agreement will be displayed on top of this page.

Contact us

Contact us for more information about our privacy practices or the Agreement:

by e-mail at or

by mail using the details provided below:

Approosters Oy
Siltakatu 10 B 30
80100 Joensuu