End-User Data Processing Addendum
Last updated on
Marh 27, 2026

END-USER DATA PROCESSING ADDENDUM TO THE TERMS OF USE of Consentmo GDPR Compliance app

This End-User Data Processing Addendum (“End-User DPA”) supplements the Agreement between the Store Owner/Merchant (the “Merchant”) and Consentmo (the “Processor”) regarding the processing of Personal Data of the individuals who visit the Merchant’s store (“End-Users”). This addendum is an attachment to the Privacy Policy and Terms of Use found at: consentmo.com/privacy-policy and consentmo.com/terms-of-use.

By submitting a Data Subject Access Request (DSAR) or choosing a consent setting through the provided tools on a merchant’s store using the Consentmo GDPR Compliance app, you acknowledge that your Personal Data will be handled by the GDPR/CCPA services to ensure compliance and assist your data privacy requests.

1. Background

1.1. Consentmo provides a software solution to help merchants manage data privacy compliance, including the handling of Cookie consent settings, providing access to compliance pages, and DSAR requests.

1.2. The End-User DPA applies to how Consentmo processes personal data as a result of being installed on the Merchant's store.

1.3. This addendum is strictly provided for describing the treatment of your personal data and does not provide legal advice for any other purposes.

2. Processing of Personal Data

  • Merchant: The Data Controller responsible for collecting and managing Personal Data provided by the End-User.
  • Consentmo / App: The Data Processor acting on behalf of the Merchant to fulfill GDPR, CCPA, APPI, PIPEDA, and other relevant legal requirements.
  • End-User: The Data Subject whose personal data is processed when visiting/using a store using the app services.

Consentmo processes personal data solely for the purpose of providing legal compliance tools and in accordance with law.

3. Types of Personal Data Collected

When interacting with the Processor through a Merchant’s Store, the following information is typically collected for compliance records:

Category Purpose and Processing
IP Address Used to determine the user's location to serve the correct consent settings.
Cookie Consent Settings To store and respect the user's choices regarding cookies and trackers.
DSAR Information (Email, Name, etc.) Used to facilitate and track the status of Data Subject Access Requests (DSAR).
Browser and Device Information Technical data used to ensure the app functions correctly across different environments.

3.1. All data processed is solely for compliance purposes and to maintain the audit logs required by data protection authorities.

4. Legal Basis for Processing

Consentmo processes End-User personal data based on the following:

  • GDPR/ePrivacy: Based on the consent given or the legitimate interest of the Merchant.
  • CCPA/CPRA: Fulfilling statutory obligations regarding data access and opt-out rights.
  • Legal Compliance: Fulfilling requirements to maintain records of consent and data requests.

5. Data Retention

  • Cookie consent logs and DSAR requests: Retained for a maximum of 12 months (unless the Merchant has adjusted these settings).
  • End User data (such as IP addresses and email addresses used for DSAR requests): Anonymized or deleted automatically once the request is fulfilled or timed out.

6. Sharing of Data

Consentmo will not share End-User data with third parties except as required to perform the services or by law:

  • With Shopify: As the platform on which the app operates.
  • Sub-Processors: Mentioned in Section 4 of the Merchant Data Processing Addendum (cloud infrastructure providers used to host the data securely).
  • Legal Authority: If required by policy or court order.

For a full list of our sub-processors, visit our Privacy Policy.

7. End User Rights

End Users have the right to exercise their rights under data protection laws:

  • Right to access personal data (DSAR).
  • Right to rectification of personal data.
  • Right to erasure (Right to be forgotten).
  • Right to restrict or object to processing of personal data.
  • Right to Data Portability (under GDPR).
  • Right to Withdraw Consent.

To exercise these rights, please use the Data Subject Access Request (DSAR) form on the Merchant’s store page or visit the Merchant’s contact page.

8. Data Transfers Outside the EEA

If data must be transferred outside the EEA/European Economic Area (EEA), it will be handled in accordance with Standard Contractual Clauses (SCCs) or other adequate legal frameworks for data protection and privacy.

9. Contact Information

If you have any questions about how your personal data is processed, you may contact Consentmo's Data Protection Officer (DPO) at:

‍Email: privacy@consentmo.com
‍Address: 4 Prof. Georgi Bradistilov, entr. A, 4th floor, Sofia, Bulgaria

For complaints, you may contact your local data protection authority.

10. Final Provisions

10.1. This End-User DPA takes precedence over other policies in case of conflict, regarding the treatment of end-user data through the Consentmo Compliance App.