​​​​​​​

1. Roles

For the purposes of applicable data protection laws, the merchant acts as the Data Controller and CMOgpt acts as the Data Processor on behalf of the merchant.

 

​2. Scope & Purpose of Processing

CMOgpt processes data solely to provide decision-support insights in accordance with the merchant’s documented instructions, as set out in the CMOgpt Terms of Service and through the merchant’s use of the service.

​​​​​

3. Data Categories

CMOgpt processes the following categories of personal data on behalf of the merchant, to the extent such data constitutes personal data:

• Merchant account information (e.g. account email address)

• Aggregated store performance and analytics data that does not include end-customer personal data, including data accessed via merchant-authorised connections

• Merchant-provided inputs submitted through the service

CMOgpt does not process end-customer personal data and is not designed to ingest or process sensitive personal data.

​

4. Sub-Processors

CMOgpt uses approved sub-processors, including Amazon Web Services (hosting and infrastructure) and OpenAI (acting as a sub-processor for AI processing). CMOgpt remains responsible for the actions of its sub-processors in accordance with applicable data protection laws. A current list of sub-processors may be made available upon request.

 

5. Security Measures

CMOgpt implements appropriate technical and organisational security measures, including encryption, logical data segregation, role-based access controls, and secure authentication.

 

6. Confidentiality

CMOgpt ensures that personnel authorised to process data are subject to confidentiality obligations.

 

7. Data Subject Rights

Where applicable and to the extent required by law, CMOgpt will provide reasonable assistance to the merchant in responding to data subject requests.

​​

8. Personal Data Breaches

CMOgpt will notify the merchant without undue delay upon becoming aware of a personal data breach.

​​​​

9. Deletion or Return of Data

Upon termination of the service, CMOgpt will delete merchant data in accordance with the Terms of Service and Privacy Policy, subject to limited retention required by law. Data deletion will occur within a reasonable timeframe.

​

10. Audits

Upon reasonable request, CMOgpt will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality and security considerations.

​​

11. Governing Law

This DPA is governed by the laws of Victoria, Australia.

​