1. Roles

For the purposes of applicable data protection laws:

• The merchant acts as the Data Controller.

• CMOgpt acts as the Data Processor on behalf of the merchant.

The merchant determines which data sources are connected and how CMOgpt is used.

CMOgpt processes merchant data only to provide the service and in accordance with the merchant’s documented instructions, including instructions given through use of the service.
 

2. Scope and purpose of processing

CMOgpt processes data to provide ecommerce performance analysis and decision-support insights.

This includes:

• Reading authorised Shopify data

• Reading authorised Google Analytics 4 data

• Receiving merchant-entered marketing spend and business targets

• Calculating business metrics

• Modelling margin and profitability

• Benchmarking performance

• Generating CMOgpt scores and assessments

• Supporting AI-assisted business recommendations

• Providing selected business context through MCP

• Maintaining security, audit logs, and service reliability

CMOgpt does not process merchant data for advertising.

CMOgpt does not sell merchant data.

CMOgpt does not use merchant data to train public AI models.
 

3. Data categories

CMOgpt may process the following categories of data:

Merchant account data

• Account email address

• Store name

• Store URL

• Login or authentication information

• Subscription or billing status

Shopify business data

• Shopify order data

• Product information

• Inventory information

• Sales and revenue data

• Discount information

• Refund and return information where required for analysis

• Margin and profitability inputs where available

Google Analytics 4 data

• Traffic metrics

• Conversion metrics

• Channel performance

• Campaign performance

• Store or account-level analytics metrics

Merchant-provided data

• Marketing spend

• Business targets

• Revenue goals

• Margin targets

• Business questions

• Prompts

• Commercial context

CMOgpt-generated data

• Business metrics

• Performance scores

• Benchmark comparisons

• Performance gap analysis

• Decision tree outputs

• Scoring matrix outputs

• AI-generated responses and explanations

MCP data

Where MCP is enabled, CMOgpt may provide selected business context through an MCP server, including:

• Business metrics

• CMOgpt scores and assessments

• Industry benchmarks

• Business targets

• Performance gap analysis

• Proprietary analytical logic required to support machine inference

• ​

4. Data not processed by design

CMOgpt is not designed to extract or retain Shopify customer records.

CMOgpt does not intentionally collect or retain:

• Customer names

• Customer email addresses

• Customer phone numbers

• Delivery addresses

• Payment details

• Card information

• Passwords

• Shopify admin credentials

• Sensitive personal information

CMOgpt is a business performance and strategy tool, not a customer data platform.

​

5. Sub-processors

CMOgpt may use trusted sub-processors to provide the service.

Sub-processors may include providers for:

• Hosting and infrastructure

• AI processing

• Authentication

• Analytics

• Billing

• Support

• Communications

• Monitoring and security

CMOgpt remains responsible for the processing performed by its sub-processors in accordance with applicable data protection laws.

A current list of sub-processors may be made available upon request.

​

6. Security measures

CMOgpt implements appropriate technical and organisational measures designed to protect merchant data.

These may include:

• Encryption in transit

• Encryption at rest

• Secure authentication

• Role-based access controls

• Logical data separation

• Limited internal access

• Logging and monitoring

• Backup controls

• Secure infrastructure practices

• Confidentiality obligations for authorised personnel

 

7. Confidentiality

CMOgpt ensures that personnel authorised to process merchant data are subject to confidentiality obligations.

Access to merchant data is limited to personnel who require access to provide, support, secure, or maintain the service.

 

8. MCP security

Where MCP access is enabled, CMOgpt will take reasonable steps to ensure MCP access is controlled and limited to authorised use.

MCP access is designed to be read-only.

MCP requests may be logged for security, debugging, audit, and abuse prevention.

Merchants are responsible for keeping MCP tokens, API keys, and connected AI client access secure.

​

9. Data subject rights

Where applicable and required by law, CMOgpt will provide reasonable assistance to the merchant in responding to data subject requests.

This may include requests to access, correct, delete, restrict, or object to processing of personal data.

Because CMOgpt is not designed to extract or retain Shopify customer records, most data subject requests relating to end-customer personal data should be handled directly by the merchant through Shopify or the relevant source platform.

10. Personal data breaches

CMOgpt will notify the merchant without undue delay after becoming aware of a personal data breach affecting merchant data.

CMOgpt will provide reasonable information to help the merchant assess and respond to the breach, where required by applicable law.

​

11. Data retention and deletion

CMOgpt retains data in accordance with the Privacy Policy.

In summary:

• Shopify order data is retained for 30 days to support margin and profitability modelling.

• Shopify customer data is not extracted and not retained.

• Business metrics, GA4 metrics, marketing spend, and business targets are retained for the duration of the signup, trial, or subscription period.

• MCP logs may be retained for a limited period for security, debugging, audit, and abuse prevention.

• Billing, legal, security, and backup records may be retained where required by law or operational necessity.

Upon termination, cancellation, or valid deletion request, CMOgpt will delete or de-identify merchant data, subject to limited retention required for legal, security, compliance, billing, or backup purposes.

​

12. Audits

Upon reasonable request, CMOgpt will make available information reasonably necessary to demonstrate compliance with this Data Processing Addendum.

Any audit request must be reasonable, limited in scope, subject to confidentiality, and conducted in a way that does not compromise the security, confidentiality, or availability of the CMOgpt service or other merchants’ data.

​

13. International transfers

CMOgpt may use service providers located in different jurisdictions.

Where merchant data is transferred internationally, CMOgpt will take reasonable steps to ensure appropriate protections apply in accordance with applicable data protection laws.

​

14. Changes to this Data Processing Addendum

CMOgpt may update this Data Processing Addendum from time to time.

Material changes will be communicated through the service, email, website, or other reasonable means.

Continued use of the service after changes take effect means the updated Data Processing Addendum applies.

 

15. Governing law

This Data Processing Addendum is governed by the laws of Victoria, Australia.

 

16. Contact

For questions about data processing, contact:

support@cmogpt.io

​

​

​