Legal

Data Processing Addendum

Last updated: May 8, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between you (the "Merchant" / "Controller") and Joe Della Mora, an individual doing business as Rankmore, with a principal place of business at 3211 Cahuenga Blvd W, Los Angeles, CA 90068, USA ("Rankmore" / "Processor") and applies to the extent Rankmore processes Personal Data on your behalf in the course of providing the Services as described in our Terms of Service.

This DPA is designed to satisfy Article 28 GDPR, the UK GDPR, the Swiss FADP, and equivalent requirements of other applicable data protection laws including the CCPA/CPRA, PIPEDA, and the Australian Privacy Act.

1. Definitions

"Personal Data", "Controller", "Processor", "Data Subject", "Processing", "Sub-processor", "Personal Data Breach", and "Supervisory Authority" have the meanings given in the GDPR. "Standard Contractual Clauses" or "SCCs" means the European Commission's standard contractual clauses for the transfer of personal data to third countries (Decision 2021/914), and the UK International Data Transfer Addendum where applicable.

2. Roles and scope

You are the Controller of Personal Data submitted to the Services. Rankmore is the Processor and processes Personal Data only on your documented instructions, which include the configuration of the Services as offered, the actions you take in the App (including approvals you give), and any other written instructions you provide.

2.1 Subject matter, nature, purpose, and duration

Subject matter: the provision of AI-assisted SEO services (PDP suggestions, content generation, press releases, link analysis, redirects, ranking and AI-engine visibility tracking) for your Shopify store.

Duration: for the duration of your installation of the App, plus any retention period described in our Privacy Policy.

2.2 Categories of Data Subjects and Personal Data

Because Rankmore does not request access to customer or order data, the only Personal Data we typically process on your behalf is:

• Your own and your team members' contact information and account identifiers (name, email, store role)
• Visitor log data from your storefront only as it appears incidentally in publicly indexed content we analyze

If you choose to include Personal Data in inputs you give the App (e.g. in support requests), that data will be processed in accordance with this DPA.

3. Rankmore's obligations

Rankmore will:

• Process Personal Data only on your documented instructions, including with regard to international transfers (unless required by law, in which case we will inform you of that legal requirement before processing, where the law permits)
• Confidentiality. Ensure persons authorized to process Personal Data are bound by confidentiality obligations
• Security. Implement and maintain appropriate technical and organizational measures (Annex A)
• Sub-processors. Engage Sub-processors only as permitted by Section 4
• Data Subject requests. Assist you, taking into account the nature of processing, by appropriate technical and organizational measures, in fulfilling your obligation to respond to Data Subject requests
• Compliance assistance. Assist you in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIAs, and prior consultation), taking into account the nature of processing and information available to us
• Personal Data Breach. Notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting your Personal Data, with the information reasonably required for you to meet your own breach-notification obligations
• Deletion. Delete or return all Personal Data after the end of the provision of services, and delete existing copies unless storage is required by applicable law (see retention details in the Privacy Policy)
• Audits. Make available to you all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you, on reasonable advance written notice and subject to confidentiality

4. Sub-processors

You provide Rankmore with general written authorization to engage Sub-processors to process Personal Data on your behalf, subject to the requirements below. The current list of Sub-processors is in our Privacy Policy, Section 5.1.

• Rankmore will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA.
• Rankmore remains liable to you for the acts and omissions of its Sub-processors.
• Rankmore will give you reasonable advance notice of any intended addition or replacement of Sub-processors that process Personal Data, by posting an updated list at the link above. You may object on reasonable data-protection grounds within 30 days; if the objection cannot be resolved, you may terminate the affected Services.

5. International transfers

Where Rankmore transfers Personal Data originating from the EEA, UK, or Switzerland to a country that is not subject to an adequacy decision, the parties agree that the EU SCCs (Module 2: Controller to Processor) and the UK Addendum, as applicable, are incorporated by reference and apply to such transfers, with the following selections:

• Module: Controller-to-Processor (Module Two)
• Clause 7 (Docking Clause): applicable
• Clause 9(a) (Sub-processors): Option 2 — General written authorization, as in Section 4 above
• Clause 11 (Redress): the optional independent dispute resolution body language is not selected
• Clause 17 (Governing Law): Republic of Ireland
• Clause 18 (Forum): courts of Ireland
• Annex I.A (Parties): Controller is the Merchant; Processor is Rankmore (Joe Della Mora, a natural person doing business as Rankmore, Los Angeles, CA, USA)
• Annex I.B (Description of transfer): as set out in Section 2.1 of this DPA and in the Privacy Policy
• Annex I.C (Competent supervisory authority): the supervisory authority of the EEA member state in which the Controller is established, or where there is no such establishment, the Irish Data Protection Commission
• Annex II (Technical and organizational measures): Annex A below
• Annex III (Sub-processors): as listed in the Privacy Policy

6. CCPA/CPRA terms

To the extent the CCPA/CPRA applies, Rankmore acts as a "service provider" with respect to Personal Information processed on your behalf and:

• will not sell or share Personal Information;
• will not retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the Services or as otherwise permitted by the CCPA;
• will not retain, use, or disclose Personal Information outside the direct business relationship between you and Rankmore;
• will not combine Personal Information received from you with Personal Information from other sources except as permitted by the CCPA;
• will assist you in fulfilling consumer rights requests; and
• certifies that it understands and will comply with these restrictions.

7. Term and termination

This DPA continues for as long as Rankmore processes Personal Data on your behalf. Upon termination of the Services, Rankmore will delete Personal Data as described in the Privacy Policy and in Section 3 above.

8. Order of precedence

If there is a conflict between this DPA and the Terms of Service or the Privacy Policy, this DPA prevails with respect to data protection obligations. Where the SCCs are incorporated under Section 5, the SCCs prevail over conflicting terms in this DPA.

Annex A — Technical and organizational measures

Rankmore implements the following measures to protect Personal Data, with details in our Security overview:

• Encryption. TLS 1.2+ in transit; AES-256 at rest in primary databases and object storage
• Access control. Least-privilege role-based access; SSO + MFA for internal access; access reviewed periodically
• Application security. Scoped OAuth tokens, short-lived service credentials, dependency vulnerability scanning, parameterized queries
• Network security. Hosted on secure cloud providers (Cloudflare, Neon, Vercel/Cloudflare); DDoS protection; WAF
• Logging and monitoring. Application and infrastructure logs centralized and retained per the Privacy Policy
• Backups. Encrypted, point-in-time backups of the primary database
• Incident response. Documented procedures for detection, containment, eradication, recovery, and notification
• Personnel. Confidentiality obligations; background checks where legally permitted; security awareness training
• Vendor management. Sub-processors selected and reviewed against security and privacy criteria; bound by data protection contracts

How to execute

This DPA is automatically entered into between you and Rankmore by your acceptance of the Terms of Service when you install or use the Services. No signature is required. If your organization requires a counter-signed copy, email hello@rankmore.app and we will arrange execution.

This DPA is provided as a clear, plain-English description of our data-processing terms. It is not legal advice. We recommend reviewing this DPA with your own counsel as it applies to your specific obligations.