Controller / Processor Roles
EMPHOS Group acts as controller for customer data, while Shopify acts as processor in connection with the storefront.
EMPHOS Group Legal
Data Processing Agreement
This Data Processing Agreement describes how EMPHOS Group processes personal data under applicable privacy and data protection law, including GDPR, UK GDPR, PIPEDA, and BC PIPA.
Lawful Bases
Processing may rely on contract performance, legitimate interests, consent, or legal obligation depending on the activity.
Rights & Safeguards
Data subjects may have rights of access, correction, erasure, portability, objection, and complaint depending on jurisdiction.
Transfers & Retention
International transfers use safeguards like SCCs or IDTAs, and retention periods vary by data category and legal need.
Agreement Overview
Data Processing Agreement
This Data Processing Agreement (“DPA”) is entered into between Emphos Group (“Data Controller” or “we”) located at 9398 Coote Street, Chilliwack, BC, V2P 6B5, Canada, and you (“Data Subject” or “customer”) as part of the services.
This DPA supplements the Privacy Policy and Terms of Service and addresses obligations under applicable data protection legislation, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and British Columbia’s Personal Information Protection Act (PIPA).
If you are accessing the services from within the European Economic Area (EEA), the United Kingdom, or another jurisdiction with applicable data protection law, this DPA forms part of the agreement with you and describes how personal data is processed, what safeguards are applied, and what rights may exist.
Section 1
Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person (“data subject”), as defined under applicable data protection law.
- “Processing” means any operation performed on Personal Data, whether or not by automated means, including collection, recording, storage, use, disclosure, or deletion.
- “Data Controller” means the entity that determines the purposes and means of processing Personal Data. Emphos Group acts as a Data Controller with respect to the personal data of its customers.
- “Data Processor” means an entity that processes Personal Data on behalf of the Data Controller. Shopify Inc. acts as a Data Processor in connection with the services.
- “Sub-Processor” means any third party engaged by a Data Processor to assist in processing Personal Data.
- “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
Section 2
Roles and Responsibilities
2.1 Emphos Group as Data Controller
Emphos Group acts as the Data Controller with respect to personal data collected directly from customers through the services, including contact information, transaction data, account data, and communications. As controller, EMPHOS Group is responsible for determining the purposes and means of processing, ensuring a lawful basis for processing, and honouring data subject rights.
2.2 Shopify as Data Processor
The services are built on Shopify’s platform. Shopify acts as a Data Processor in relation to personal data processed through the storefront. Shopify’s data processing practices are governed by Shopify’s Data Processing Addendum and Privacy Policy, and Shopify maintains a list of its Sub-Processors in its trust and compliance documentation.
Section 3
Lawful Basis for Processing
Emphos Group relies on the following lawful bases for processing personal data:
| Lawful Basis | Examples of Processing |
|---|---|
| Contract Performance | Processing orders, fulfilling shipments, managing returns, and providing customer support. |
| Legitimate Interests | Fraud prevention, security monitoring, improving the services, and analytics. |
| Consent | Sending marketing emails, placing non-essential cookies, and retargeted advertising. |
| Legal Obligation | Retaining transaction records for tax and accounting purposes and responding to lawful requests. |
Section 4
Data We Process
The categories of personal data processed by Emphos Group in connection with the services include:
- Identity data: name, username, and date of birth where provided.
- Contact data: billing and shipping address, email address, and phone number.
- Financial data: payment card type (last 4 digits only), transaction amounts, and payment confirmations.
- Transaction data: products purchased, order history, returns, and refunds.
- Technical data: IP address, browser type, device identifiers, and cookies.
- Usage data: pages visited, time on site, referral sources, and clickstream data.
- Communications data: content of customer support inquiries and correspondence.
Emphos Group does not intentionally collect special categories of sensitive personal data such as health data, biometric data, racial or ethnic origin, or political opinions. Do not submit that kind of information through the services.
Simple rule: do not send sensitive data through normal storefront or support channels unless explicitly instructed to do so in writing.
Section 5
International Data Transfers
Because the services are powered by Shopify, personal data may be transferred to and stored in countries outside of the European Economic Area, the United Kingdom, and Canada. These transfers may include transfers to the United States and other jurisdictions.
Where personal data is transferred from the EEA or UK to countries that the European Commission has not determined to offer an adequate level of protection, Emphos Group relies on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA). For transfers involving Shopify, Shopify’s Data Processing Addendum includes the applicable SCCs.
Section 6
Data Retention
Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, and reporting obligations.
| Data Category | Retention Period |
|---|---|
| Transaction and Order Data | 7 years from the date of transaction for tax and legal purposes. |
| Account Data | For the duration of the account, plus 2 years after account closure. |
| Marketing Consent Records | 3 years from the date of last contact or consent withdrawal. |
| Customer Support Records | 3 years from the date of last correspondence. |
| Technical / Analytics Data | Up to 26 months depending on the analytics tool used. |
Section 7
Data Subject Rights
If you are located in the EEA, UK, or another jurisdiction with applicable data protection law, you may have the following rights with respect to your personal data:
- Right of Access: request a copy of the personal data held about you.
- Right to Rectification: request correction of inaccurate or incomplete personal data.
- Right to Erasure (“Right to be Forgotten”): request deletion of personal data in certain circumstances.
- Right to Restriction: request that use of your personal data be limited.
- Right to Data Portability: receive your personal data in a structured, machine-readable format and transfer it to another controller.
- Right to Object: object to processing based on legitimate interests or direct marketing.
- Right to Withdraw Consent: withdraw consent at any time where processing depends on consent.
- Right to Lodge a Complaint: make a complaint to a supervisory authority in your jurisdiction.
To exercise any of these rights, contact info@emphosgroup.com with the subject line “DATA SUBJECT REQUEST.” EMPHOS Group will respond within 30 days, or as required by applicable law, and may require identity verification first.
Section 8
Data Breach Notification
In the event of a Data Breach that is likely to result in a risk to the rights and freedoms of individuals, Emphos Group will notify the relevant supervisory authority within 72 hours of becoming aware of the breach where required by applicable law.
Where a breach is likely to result in a high risk to affected individuals, EMPHOS Group will also notify those individuals without undue delay, including information about the nature of the breach, the data involved, and the steps taken to address it.
Section 9
Contact and Supervisory Authority
For all data protection inquiries or to exercise your rights, contact EMPHOS Group directly:
Emphos Group
9398 Coote Street, Chilliwack, BC, V2P 6B5, Canada
Email: info@emphosgroup.com
If you are located in the EEA and are not satisfied with the response, you have the right to lodge a complaint with your local data protection supervisory authority. In Canada, privacy complaints may be directed to the Office of the Privacy Commissioner of Canada or the BC Office of the Information and Privacy Commissioner.
Need data rights help right now?
For access, correction, deletion, portability, objection, or breach questions, contact EMPHOS Group directly and use a clear subject line so your request does not get buried under generic support noise.