Merchant Data Processing Addendum
Last updated on
April 8. 2025

DATA PROCESSING ADDENDUM TO THE TERMS OF USE OF Consentmo GDPR Compliance app

This Data Processing Addendum (“DPA”) applies to you (the “Client”) and Consentmo Ltd. (“Consentmo”), located at 4 Prof. Georgi Bradistilov, entr. A, 4th floor, Sofia, Bulgaria, for the processing of personal data. This Data Processing Addendum is applicable together with the Terms of Service. By clicking “I accept” using our Services - Consentmo app, you agree to all terms and conditions of this Data Processing Addendum and Terms of use.

1. Background

1.1. The Merchant is the Controller of the Personal Data and has appointed Consentmo as the Processor to process the Personal Data for the purpose of providing the Services in accordance with the Agreement.1.2. The parties wish to record their respective obligations with respect to the processing of the Personal Data in accordance with the requirements of the Data Protection Laws (GDPR, CCPA, etc.).1.3. Consentmo is a processor and the Merchant is a controller for the purposes of the DPA. Both parties agree to comply with the provisions of this DPA and the requirements of the Data Protection Laws.

2. Processing of Personal Data

2.1 Roles of the Parties

The parties acknowledge that:

  • The Merchant is the Data Controller.
  • Consentmo is the Data Processor.
  • Consentmo may engage Sub-Processors as outlined in Section 4.

2.2 Client - Processing of Personal Data

2.3 Consentmo - Processing of Personal Data(a) Consentmo shall process the data only to provide the App.(b) Consentmo shall maintain the required transparency, compliance measures and shall collect data on behalf of the Merchant.(c) Consentmo shall use the personal data for facilitating and improving the functionality of the App provided to the Merchant.

2.4 Duration of Processing of Personal DataThe DPA applies for the duration of the Agreement and until the Merchant's data related to their store is deleted, unless otherwise agreed by the parties or required by law to be retained for a longer period of time.

3. Data Retention and Deletion

  • Cookie consent logs and DSAR requests: Retained for 12 months or as defined by the Merchant's settings in the app.
  • Merchant data (store settings, logs): Retained for 2 years after the last use, then deleted or anonymized.
  • Consentmo shall delete all personal data and DSAR logs upon terminating the service with the Merchant.

4. Sub-Processors

4.1 Appointment of Sub-ProcessorsThe Merchant provides general authorization for Consentmo to use the Sub-processors listed in this section. If Consentmo adds or changes Sub-processors, it shall update this DPA and notify the Merchant as required by law.

4.2 List of Sub-processors

  • Amazon Web Services (AWS) - Cloud infrastructure provider.
  • A2 Hosting - Server hosting.
  • Google Cloud Platform (GCP) - Computing Services.
  • Digital Ocean (DO) - Cloud Infrastructure Services.

5. Audit and Assistance

  • Consentmo shall provide the Merchant with all information reasonably necessary to demonstrate compliance with their obligations.
  • Consentmo shall assist the Merchant with any data protection impact assessments.

6. Data Transfers Outside the EEA

  • Consentmo transfers personal data outside the EEA only if it complies with legal transfer mechanisms such as Standard Contractual Clauses (SCCs).
  • For transfers to the USA, the data is handled by Sub-processors who are certified under the relevant Data Privacy Framework.

7. Liability and Indemnity

  • Each party is liable for any data breaches caused by its own negligence or breach of the terms of this DPA.
  • Indemnity for the Merchant is provided against direct damages only, up to a limit of the fees paid by the Merchant to the App.

8. Final Provisions

This DPA shall take precedence over the Terms of Use in case of conflict.