GDPR compliance, explained.

Overview

Arbyn is operated by ONDUTYOPS LLC and is committed to compliance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). This page explains how the GDPR applies to operators using Arbyn to serve customers in the European Union and European Economic Area.

Read this alongside our Privacy Policy and Terms of Service.

Controller and processor roles

For end shopper data flowing through Arbyn on behalf of a Shopify store:

• The Shopify operator is the data controller. They decide what data is collected, how it is used, and for what purpose.
• Arbyn (ONDUTYOPS LLC) is the data processor. We process data only on documented instructions from the operator.

For operator account data (the data we collect about you when you install Arbyn), Arbyn is the data controller.

Lawful bases for processing

We rely on the following lawful bases under Article 6 of the GDPR:

• Contract. Processing necessary to deliver Arbyn under our Terms of Service.
• Legitimate interest. Limited service operations like error monitoring, security, and product improvement.
• Consent. Where you have given clear, opt-in consent for a specific purpose, such as receiving product updates.
• Legal obligation. Where processing is required by applicable law, such as retaining billing records.

Data subject rights

Under GDPR, individuals whose personal data we process have the following rights:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Rights related to automated decision-making (Article 22)

End shoppers should send rights requests to the Shopify operator running the store they interacted with. Operators can email gdpr@arbyn.app to forward or escalate such requests. We respond to all rights requests within 30 days.

Shopify-mandated data lifecycle

As a Shopify App Store-listed app, Arbyn implements the three GDPR data webhooks Shopify requires of every app. These are enforced by Shopify and are not optional — deletion is permanent, with no "soft delete" recovery window.

• customers/data_request — When an end shopper requests their data through your Shopify admin, we respond with everything Arbyn holds for that shopper, formatted for portability.
• customers/redact — When an end shopper requests deletion, all data Arbyn holds for that shopper is permanently deleted within 30 days.
• shop/redact — When you uninstall Arbyn from your Shopify store, all data Arbyn holds for that store is permanently deleted within 48 hours.

In addition, Arbyn requests only the minimum Shopify API access scopes it needs to function. The full scope list is displayed in the installation modal and is reviewed before every release.

International data transfers

Arbyn stores data in AWS regions in both the United States (US-EAST-1) and the European Union (EU-WEST-1). For operators serving EU customers, store data and conversation data is processed in EU-WEST-1 by default.

For transfers to subprocessors located outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, additional safeguards such as encryption in transit and at rest.

Data Processing Addendum

We make a Data Processing Addendum (DPA) available to all operators. It incorporates the SCCs and reflects our role as a processor under GDPR.

The DPA is pre-signed and takes effect on installation for all operators in the EEA, UK, and Switzerland. Operators in other regions can request countersigned copies by emailing dpa@arbyn.app.

Security measures

We implement appropriate technical and organizational measures to protect personal data, including:

• Encryption in transit (TLS 1.2 or higher) and at rest (AES-256)
• Role-based access controls and least-privilege provisioning
• Audit logging of access to production systems
• Zero-retention agreements with all LLM subprocessors
• SOC 2 Type II audit in progress, expected completion Q3 2026

Breach notification

In the unlikely event of a personal data breach affecting your end customers, we will notify you without undue delay and within 72 hours of becoming aware of it, in line with Article 33 of the GDPR. The notification will include the nature of the breach, categories and approximate numbers of records affected, likely consequences, and the measures we have taken or intend to take.

Supervisory authority

If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority in your EU member state of residence, place of work, or place of the alleged infringement.

Contact