
Data Processing Agreement
Our GDPR-compliant Data Processing Agreement, setting out how LaunchMyStore processes personal data on behalf of merchants and businesses.
Last updated: July 8, 2026
1. Introduction & Scope
This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Customer", "Merchant", or "you") and LaunchMyStore ("we", "us", "our"), operated by TradeFusion Technologies Pvt Ltd, for your use of the LaunchMyStore e-commerce platform and related services (the "Services"). It governs the processing of personal data carried out by LaunchMyStore on your behalf.
This DPA reflects the parties' agreement with respect to the processing of Personal Data under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR and the UK Data Protection Act 2018, and the Swiss Federal Act on Data Protection ("FADP"), where applicable (together, "Data Protection Laws").
Where you are subject to Data Protection Laws and LaunchMyStore processes Personal Data on your behalf as a processor, this DPA applies and takes precedence over any conflicting terms in our Terms and Conditions in respect of such processing. A countersigned copy is available on request at [email protected].
2. Definitions
Terms used in this DPA have the meaning given to them under the GDPR. In particular:
- Personal Data: any information relating to an identified or identifiable natural person (a "Data Subject") that is processed under this DPA.
- Processing: any operation performed on Personal Data, such as collection, storage, use, disclosure, or erasure.
- Controller: the party that determines the purposes and means of the processing of Personal Data.
- Processor: the party that processes Personal Data on behalf of the Controller.
- Sub-processor: any third party engaged by the Processor to process Personal Data on its behalf.
- Standard Contractual Clauses (SCCs): the clauses adopted by the European Commission (Decision 2021/914) for the transfer of Personal Data to third countries.
3. Roles of the Parties
The roles of the parties depend on the type of Personal Data being processed:
- Merchant Store Data (you are the Controller). When you use LaunchMyStore to operate your online store, you are the Data Controller of the personal data of your own customers and store visitors (e.g. shoppers' names, addresses, and order details). LaunchMyStore acts as your Processor and processes that data only to provide the Services and on your documented instructions.
- Merchant Account Data (LaunchMyStore is the Controller). For personal data relating to your own account, billing, and use of our platform, LaunchMyStore is the Data Controller. That processing is described in our Privacy Policy.
This DPA governs the first scenario, where LaunchMyStore acts as your Processor. Each party is responsible for complying with the obligations that apply to it under Data Protection Laws in its respective role.
4. Data Controller & Contact
For processing where LaunchMyStore acts as Data Controller (your account data), and as the entity that acts as your Processor for Store Data, the responsible legal entity is:
- Legal entity: TradeFusion Technologies Pvt Ltd (operating as "LaunchMyStore"), registered in India under CIN U62091DL2023PTC419920
- Registered address: H 99 South Anarkali Som Bazar, Delhi 110051, DL, India
- Data protection contact: [email protected]
- General support: [email protected]
You can reach our data protection team for any question relating to this DPA, the exercise of Data Subject rights, or a personal data breach at [email protected]. Where you act as the Controller of your Store Data, you remain the primary point of contact for your own customers' Data Subject requests, and we will assist you as set out in Section 10.
5. Subject Matter, Duration, Nature & Purpose of Processing
- Subject matter: LaunchMyStore's processing of Personal Data as necessary to provide the Services under the agreement.
- Duration: for the term of your agreement with LaunchMyStore, plus the retention and deletion periods described in Section 11.
- Nature and purpose: hosting, storage, processing, and transmission of Personal Data to operate stores, process orders and payments, provide analytics and support, and deliver related platform features on your instructions.
6. Categories of Data Subjects & Personal Data (Annex I)
The categories below reflect the typical Personal Data processed on your behalf. The exact scope is determined by you as Controller, based on how you configure and use the Services.
| Category of Data Subject | Types of Personal Data |
|---|---|
| Your customers / store shoppers | Name, email, phone, billing & shipping address, order history, transaction data |
| Store visitors | IP address, device & browser data, cookie identifiers, usage analytics |
| Your staff / team members | Name, email, role, login credentials, activity logs |
| Newsletter & marketing contacts | Name, email, subscription status, marketing preferences |
You must not upload or instruct us to process special categories of data (Art. 9 GDPR) or criminal-offence data (Art. 10 GDPR) through the Services unless expressly agreed in writing and supported by appropriate safeguards.
7. Obligations of LaunchMyStore as Processor (Art. 28)
When acting as your Processor, LaunchMyStore will:
- Process Personal Data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case we will inform you, unless legally prohibited).
- Ensure that persons authorised to process Personal Data are bound by an appropriate duty of confidentiality.
- Implement appropriate technical and organisational security measures as required by Art. 32 GDPR (see Section 8).
- Engage Sub-processors only in accordance with Section 9.
- Assist you, by appropriate measures, in responding to Data Subject requests (Section 10) and in ensuring compliance with your obligations under Art. 32–36 GDPR.
- Notify you without undue delay after becoming aware of a Personal Data breach (Section 11).
- At your choice, delete or return Personal Data at the end of the provision of the Services (Section 11).
- Make available information necessary to demonstrate compliance and allow for and contribute to audits (Section 12).
8. Security Measures (Art. 32 — Annex II)
Taking into account the state of the art and the nature of the processing, LaunchMyStore maintains technical and organisational measures designed to protect Personal Data, including:
- Encryption: encryption of data in transit (TLS/HTTPS) and encryption of data at rest.
- Access control: role-based access, least-privilege permissions, strong authentication, and audit logging.
- Network security: firewalls, DDoS protection, and bot mitigation (e.g. Cloudflare).
- Resilience: regular backups, redundancy, and disaster-recovery procedures to restore availability after an incident.
- Pseudonymisation & minimisation: limiting Personal Data to what is required for the Services.
- Ongoing review: processes for regularly testing, assessing, and evaluating the effectiveness of these measures.
9. Sub-processors (Art. 28(2) & (4))
You provide general authorisation for LaunchMyStore to engage Sub-processors to help deliver the Services. We impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. We will inform you of intended changes to Sub-processors and give you the opportunity to object on reasonable data-protection grounds.
Our current categories of Sub-processors include:
| Sub-processor / Category | Purpose |
|---|---|
| Cloud hosting & infrastructure (AWS, Google Cloud) | Hosting, storage, and delivery of the platform |
| Cloudflare | CDN, security, bot mitigation, and performance |
| Payment processors (Stripe, Razorpay, PayPal, PhonePe) | Secure payment and subscription processing |
| Google (Analytics / Sign-In) | Analytics and authentication |
| Email & communications providers | Transactional email, notifications, and support |
A current list of named Sub-processors is available on request at [email protected].
10. International Data Transfers
Where processing under this DPA involves a transfer of Personal Data from the EEA, UK, or Switzerland to a country that is not subject to an adequacy decision, such transfers are made under an appropriate transfer mechanism — namely the European Commission's Standard Contractual Clauses (Decision 2021/914), supplemented by the UK International Data Transfer Addendum for UK transfers and adapted for Switzerland where relevant, together with any additional safeguards required. By entering into this DPA, the parties are deemed to have entered into the applicable SCCs, which are incorporated by reference.
11. Data Subject Rights & Breach Notification
11.1 Assisting with Data Subject Requests
Taking into account the nature of the processing, LaunchMyStore will assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights (access, rectification, erasure, restriction, portability, and objection). If we receive such a request directly relating to your Store Data, we will, unless legally required to act, advise the Data Subject to contact you as the Controller.
11.2 Personal Data Breach Notification (Art. 33)
LaunchMyStore will notify you without undue delay after becoming aware of a Personal Data breach affecting your data, and will provide information reasonably available to us to help you meet your own breach-notification obligations to supervisory authorities and Data Subjects.
11.3 DPIAs & Prior Consultation (Art. 35–36)
We will provide reasonable assistance to you in carrying out data protection impact assessments and any prior consultation with a supervisory authority, where required and taking into account the nature of the processing and the information available to us.
12. Return & Deletion of Data
Upon termination or expiry of the Services, and at your choice, LaunchMyStore will delete or return the Personal Data processed on your behalf and delete existing copies, unless retention is required by applicable law. Store data is retained for 30 days after cancellation before permanent deletion, and certain data may remain in routine backups for a limited period until those backups are overwritten on their normal cycle, during which it remains protected under this DPA.
13. Audits & Inspections
LaunchMyStore will make available to you information reasonably necessary to demonstrate compliance with Art. 28 GDPR and will allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. Audits are subject to reasonable notice, confidentiality obligations, and scheduling to avoid disruption to our operations and to protect the data of other customers.
14. Liability, Term & Governing Law
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the agreement between the parties. This DPA takes effect on the date you accept our Terms and remains in force for as long as LaunchMyStore processes Personal Data on your behalf.
This DPA is governed by the law and jurisdiction specified in our Terms and Conditions, except where Data Protection Laws or the applicable Standard Contractual Clauses require otherwise.
15. Contact Us
To request a signed copy of this DPA, raise a data protection query, or report a concern, please contact:
- Data protection: [email protected]
- Support: [email protected]
- Address: TradeFusion Technologies Pvt Ltd, H 99 South Anarkali Som Bazar, Delhi 110051, DL, India
16. Related Policies
This DPA should be read together with our other policies:
- Privacy Policy - How we collect, use, and protect personal information
- Cookies Policy - How we use cookies and similar technologies
- Terms and Conditions - The rules and guidelines for using our Services