Data Processing Addendum

Last updated: 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you (the "Controller") and Mavenory (the "Processor") and reflects the parties' agreement on the processing of personal data under the GDPR and KVKK.

Scope & roles

Mavenory processes personal data on your behalf solely to provide the service. You are the controller of the data you upload and of your customers' order data imported from Etsy.

Sub-processors

Current sub-processors: Supabase (EU), Cloudflare, Resend, LemonSqueezy, PostHog (EU) and Sentry. We will inform you of changes to this list and remain responsible for their compliance.

Security

We implement appropriate technical and organisational measures, including encryption in transit, row-level security isolating each workshop's data, OAuth token isolation, and least-privilege access. We will notify you without undue delay upon becoming aware of a personal-data breach.

International transfers

Where data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses.

Deletion

On termination, we will delete or return personal data within a reasonable period, except where retention is required by law.

Contact

Data protection enquiries: privacy@mavenorysystems.com.