CommerceBase
Sign in

Effective 29 May 2026

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Servicebetween The Realry Group Inc. and its affiliates ("TRG", "CommerceBase", "Processor") and the Customer signed up to the CommerceBase platform ("Controller", "Customer"). It governs the processing of personal data carried out by CommerceBase on Customer's behalf and reflects Article 28 of the EU General Data Protection Regulation 2016/679 ("GDPR") and the equivalent provisions of the United Kingdom General Data Protection Regulation ("UK GDPR").

1. Definitions

Capitalised terms not defined here have the meaning given in the Terms of Service or, where applicable, in the GDPR / UK GDPR. "Personal Data", "Data Subject", "Processing", "Controller", "Processor", and "Sub-processor" shall have the meanings ascribed to them in the GDPR.

2. Subject matter, nature, and purpose of processing

CommerceBase processes Personal Data for the sole purpose of providing the Service described in the Terms — namely, operating commerce-media advertising campaigns on behalf of Customer across connected channels (including Google Shopping via TRG's CSS Partner sub-accounts, the DailyClicks publisher network, and other channel integrations elected by Customer), measuring campaign performance, and forwarding conversion events to upstream networks per Customer configuration.

3. Categories of Data Subjects and Personal Data

3.1 Data Subjects

  • End-users of Customer's storefront who interact with ads served by CommerceBase or with content carrying the CommerceBase conversion pixel.
  • Authorised users of Customer (account administrators, campaign operators).

3.2 Personal Data

  • End-user pixel events — pseudonymous click identifier (cb_click), timestamps, page URL, event type (page-view, add-to-cart, purchase), and value/currency on purchase. No direct identifiers are collected by the pixel.
  • Authorised-user account data — name, business email, role within the Customer organisation, authentication credentials.
  • Product catalog metadataconnected to advertising campaigns. This is not Personal Data of end-users, but is processed under Customer's instructions and is treated as Customer Confidential Information.

4. Duration of processing

Processing continues for the duration of the Service relationship and for retention periods set out in our Privacy Policy (pixel event records retained for 24 months, click identifiers pruned after 90 days, account data retained up to 7 years post-termination to satisfy tax and accounting obligations). On termination, Customer may request return or deletion of Personal Data per Section 9 below.

5. CommerceBase's obligations

CommerceBase shall:

  • Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by applicable law.
  • Ensure that persons authorised to process the Personal Data are bound by appropriate confidentiality obligations.
  • Implement and maintain the technical and organisational measures set out in Annex B (Security Measures) below.
  • Assist Customer, taking into account the nature of the processing, in fulfilling obligations to respond to Data Subject requests for exercise of their rights under Articles 12–23 GDPR.
  • Assist Customer in ensuring compliance with Articles 32–36 GDPR (security of processing, breach notification, data-protection impact assessment, prior consultation).
  • Notify Customer without undue delay, and in any event within 72 hours of becoming aware, of a Personal Data Breach affecting Customer Personal Data, providing the information required by Article 33(3) GDPR to the extent then known.

6. Sub-processors

Customer authorises CommerceBase to engage the Sub-processors listed in Annex A. We will impose data-protection obligations on Sub-processors equivalent to those in this DPA. We will notify Customer of any intended addition or replacement of Sub-processors at least 30 days in advance and provide a mechanism to object. If Customer objects on reasonable data-protection grounds and we cannot accommodate the objection, either party may terminate the affected portion of the Service.

7. International transfers

Where Personal Data subject to EU GDPR or UK GDPR is transferred outside the EEA / UK to a country not the subject of an adequacy decision, the transfer is carried out under the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) as adopted on 4 June 2021, or, for UK transfers, the UK International Data Transfer Addendum, each of which is incorporated into this DPA by reference. Customer's acceptance of the Terms constitutes execution of those clauses between Customer (as data exporter) and CommerceBase (as data importer).

8. Audit and information

CommerceBase shall make available to Customer the information necessary to demonstrate compliance with this DPA. Customer may, upon reasonable notice and no more than once per calendar year, request an audit of CommerceBase's relevant operations. Such audits shall be conducted during business hours, shall not unreasonably interfere with our operations, and shall be subject to confidentiality. We may satisfy audit requests by providing existing third-party audit reports (e.g., SOC 2 Type II once obtained).

9. Return or deletion of data

On termination of the Service, Customer may within 30 days request return or deletion of Customer Personal Data. After 30 days, CommerceBase will delete or anonymise Customer Personal Data within a further 90 days, except where retention is required by applicable law (in which case it remains protected by this DPA).

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in Section 8 (Liability) of the Terms of Service.

Annex A — Sub-processors

As of the effective date, CommerceBase engages the following Sub-processors:

  • Amazon Web Services, Inc. — compute, storage, networking. Region: us-east-1 (United States).
  • MongoDB, Inc. (Atlas) — primary database. Region: AWS us-east-1.
  • Cloudflare, Inc. — edge routing, CDN, WAF. Region: global.
  • Stripe, Inc. — billing and payments. Region: United States.
  • Google LLC— Google Ads / Google Merchant Center (Customer's elected channel). Region: global.
  • PPCMate / DailyClicks — programmatic publisher network. Region: EU.
  • Anthropic, PBC — large-language-model inference for the Agent feature. Region: United States. No Personal Data is included in prompts; only aggregated and de-identified campaign/catalog data.

Annex B — Security measures

  • Access control — production access is restricted to named TRG personnel with multi-factor authentication. Role-based access on a least-privilege basis; access is reviewed quarterly.
  • Encryption — Personal Data is encrypted in transit using TLS 1.2+ and at rest using provider-managed AES-256.
  • Network segmentation — production workloads run in a private VPC; databases are not directly exposed to the public Internet.
  • Backups — automated daily database backups retained for 30 days, stored encrypted; restoration procedures are exercised at least annually.
  • Secret management — credentials and OAuth tokens are stored in a dedicated secrets manager and rotated periodically; payment instruments are tokenised by Stripe and never reach our infrastructure.
  • Logging and monitoring — application and infrastructure logs are centralised; anomalous-activity alerting is in place for the production environment.
  • Vulnerability management — dependencies are continuously scanned; security patches are applied per the severity-tiered schedule documented internally.
  • Personnel — staff with production access undergo background checks where permitted by law and complete annual security training.

Contact

DPA questions or sub-processor objections: privacy@realry.com.