Legal

Data processing and GDPR terms

The data processing terms that apply when Recustom handles merchant customer data to provide personalized commerce, production, and fulfillment services.

Last updated: July 16, 2026Effective: July 16, 2026

These Data Processing and GDPR Terms ("Data Terms") form part of the agreement between a merchant using Recustom ("Merchant") and Vitamin Creative Lab Limited ("Recustom"). They apply when Recustom processes Customer Personal Data on the Merchant's behalf in connection with the Service.

These Data Terms are designed to meet the processor-contract requirements of Article 28 of the EU GDPR, the UK GDPR, and comparable data protection laws. They do not replace a Merchant's own privacy notices, lawful basis, or responsibilities as a controller.

01Definitions and order of precedence

"Customer Personal Data" means personal data that Recustom processes for the Merchant under the agreement. "Data Protection Law" means privacy and data protection law applicable to that processing. "Controller", "processor", "personal data", "processing", and "data subject" have the meanings given by applicable Data Protection Law.

If these Data Terms conflict with the general Terms of Service regarding Customer Personal Data, these Data Terms control. A signed enterprise data processing agreement may replace or supplement these Data Terms.

02Roles and instructions

The Merchant is the controller or a processor acting for another controller. Recustom is a processor or subprocessor for Customer Personal Data. Each party will comply with the duties that apply to its role.

Recustom will process Customer Personal Data only on the Merchant's documented instructions, including instructions expressed through configuration, API calls, approved orders, support requests, and the agreement. Recustom may process data as required by law after giving notice where the law permits.

03Merchant responsibilities

  • provide all privacy notices and obtain every consent or other lawful basis required for Customer Personal Data;
  • ensure its instructions comply with Data Protection Law and do not require Recustom to process unsupported sensitive data;
  • limit data submitted to what is necessary for product creation, order processing, production, and fulfillment;
  • keep connected channel permissions, account access, and recipient details accurate and secure; and
  • respond to customers and supervisory authorities as the controller, with Recustom's assistance where required.

04Details of processing

Subject matter and duration

Personalized commerce automation, product content and production asset creation, order import, manufacturing, shipping, support, and related Service operations for the term of the agreement and the limited retention period described below.

Nature and purpose

Collecting, receiving, organizing, storing, retrieving, transforming, transmitting, generating, matching, deleting, and otherwise processing data to provide the Service on the Merchant's instructions.

Data subjects

Merchants, merchant personnel, storefront customers, order recipients, and people depicted in submitted content.

Categories of data

Names, contact details, shipping addresses, store and order identifiers, order contents, customization selections, customer-provided text and images, production assets, fulfillment status, and support information. Special-category data is not intended for processing under the Service.

05Confidentiality and personnel

Recustom will limit access to Customer Personal Data to personnel and contractors who need it to provide, secure, or support the Service. Those people must be bound by confidentiality obligations appropriate to their access.

06Security measures

Recustom implements measures designed to provide a level of security appropriate to the processing risk. Current measures include encrypted transport for production services, application-layer encryption for connected-store credentials, signed requests between application components, access-controlled sessions, tenant-aware authorization, database row-level security policies, and access controls for stored assets.

Security is risk-based and evolves with the Service. More detail is available on the Security page. Recustom may update controls so long as the overall level of protection is not materially reduced.

07Subprocessors

The Merchant gives Recustom general authorization to use subprocessors needed to provide the Service. These may include hosting, database, object storage, authentication, commerce platforms, payment, AI infrastructure, communications, production, and logistics providers. Recustom will contractually require subprocessors to protect Customer Personal Data to a standard consistent with these Data Terms.

Recustom will make current subprocessor information available on reasonable request. Where required by Data Protection Law or a signed agreement, Recustom will provide notice before adding a subprocessor that materially changes the processing. The Merchant may object on reasonable data protection grounds.

08International transfers

If Recustom receives EEA personal data in a country that does not benefit from an applicable adequacy decision, the 2021 European Commission Standard Contractual Clauses apply as needed using Module Two for controller-to-processor transfers or Module Three for processor-to-processor transfers. The Merchant is the data exporter, Recustom is the data importer, Clause 7 docking applies, Option 2 applies to Clause 9, and the competent supervisory authority and governing law are determined under Clauses 13 and 17 based on the Merchant's EEA establishment where the clauses permit.

For restricted transfers under the UK GDPR, the parties will use the applicable UK transfer mechanism, including the International Data Transfer Addendum where required. For Swiss transfers, references in the clauses will be interpreted to include the Swiss Federal Act on Data Protection where applicable.

09Data subject requests

Recustom will provide reasonable assistance for verified requests to access, correct, delete, restrict, object to, or receive Customer Personal Data, taking into account the nature of the processing and the information available to Recustom. If Recustom receives a request directly from a Merchant's customer, Recustom may refer the person to the Merchant unless law requires a direct response.

Shopify may send privacy requests through its mandatory compliance webhook channels. Merchants may also contact hello@recustom.ai with the store domain, order reference, request type, and verification information.

10Personal data incidents

Recustom will notify the Merchant without undue delay after confirming a personal data breach affecting Customer Personal Data where notification is required. Available notice will describe the nature of the incident, likely consequences, measures taken or proposed, and a contact for follow-up. Recustom's notice is not an admission of fault or liability.

The Merchant is responsible for notifications to customers, regulators, and other parties, unless applicable law assigns that duty to Recustom.

11Compliance assistance and information

Taking into account the nature of processing and information available, Recustom will reasonably assist the Merchant with security obligations, breach assessments, data protection impact assessments, and regulator consultations required by Data Protection Law.

Recustom will provide information reasonably necessary to demonstrate compliance with these Data Terms. Any audit must be legally required or reasonably justified, subject to confidentiality, coordinated in advance, limited to relevant systems and records, and conducted without unnecessary disruption. The Merchant bears its audit costs unless an audit identifies a material breach by Recustom.

12Return and deletion

At the end of the Service, Recustom will delete or return Customer Personal Data on the Merchant's documented request, unless law requires retention. Data may remain for a limited period in protected backups, security records, dispute files, or financial records until the applicable retention cycle ends. During that period, Recustom will isolate the retained data from ordinary use and process it only for the retention purpose.

13Data protection contact

Questions, signed DPA requests, and data protection notices may be sent to hello@recustom.ai. Include the Merchant account, connected store, and request context, but do not send passwords, full payment details, or unnecessary customer content by email.

加入内测候补名单

Recustom 即将开放内测。加入候补名单并确认邮箱,内测开放时我们会尽快向你发出邀请,并早于公开注册。

提交邮箱不会创建账户。我们会发送确认邮件,并在内测开放时通知你。可随时退订。 隐私政策