مmargrow
العربيةStart free
م
Legal

Data Processing Agreement

DPA · v1.0

Last updated: May 22, 2026
Version: 1.0
Applies to: All subscribers automatically

1. Framework

This agreement complements the Terms of Service and governs the processing of personal data. It is automatically binding upon installing Margrow and does not require a separate signature.

2. Roles

  • The Merchant (you): Data Controller for your customers' data
  • Margrow: Data Processor on the Merchant's behalf

3. Purpose of processing

Margrow processes data exclusively to deliver the Service:

  • Sending email campaigns
  • Customer base segmentation
  • Performance measurement (opens, clicks, attributed revenue)
  • Email automation sequences

4. Categories of data subjects

  • Current and prospective customers of the store
  • Newsletter subscribers
  • Store visitors interacting with subscription forms

5. Categories of data

  • Identification: name, email, phone number
  • Behavioral: purchase history, abandoned carts, email interactions
  • Technical: IP address (security logs only)

No sensitive data (health, financial, ideological) is processed.

6. Sub-processors

Margrow uses the following services to deliver the Service:

Processor Purpose Location
Amazon Web ServicesHosting & storageRiyadh · Ireland
SendGrid (Twilio)Email deliveryEU
PostmarkEmail delivery (backup)EU
CloudflareNetwork protection & CDNGlobal network
PostHogInternal analyticsEU
SallaMerchant store integrationSaudi Arabia

Adding or changing a sub-processor is notified 30 days before it takes effect. You have the right to object.

7. Security measures

Margrow implements appropriate technical and organizational security measures:

  • Encryption in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Role-based access control (RBAC)
  • Audit logs for all access
  • Annual penetration testing
  • Mandatory security training for the team

Full details on the Security page.

8. Breach notification

In the event of any data breach affecting your customers' data, we will notify you within 72 hours of detection, with details: nature of the breach, data affected, actions taken, and recommendations.

9. Audits

Enterprise-tier customers may request an annual audit of Margrow's security measures, with 30 days' prior notice.

10. Data subject rights

Upon receiving a request from one of your customers (access, deletion, export, etc.), we will assist you in fulfilling it within 30 days of notification.

11. Term and termination

This agreement remains in effect for the duration of your use of the Service. Upon termination, your data is deleted within 30 days (except data legally required to be retained, such as billing records for ZATCA).

12. Contact

Data Protection Officer (DPO): dpo@margrow.com

Data subject rights enforcement: privacy@margrow.com