ProfitMuncher est. for makers
VOL. IV · LEGAL

Data processing.

The DPA we sign with you when your storefront processes customer data through ProfitMuncher.

Last updated · 13 July 2026 Effective · 13 July 2026 Reading time · ~9 min
§ 01

Roles & scope

You are the Controller of your customers' personal data. City Embroidery Ltd, trading as ProfitMuncher, is the Processor, acting on your documented instructions.

We process the personal data your storefront collects (names, emails, addresses, order details) only to provide the service: hosting, transmitting, displaying and backing it up. Using the service constitutes your instruction to process for those purposes.

§ 02

Confidentiality

Access to customer data is limited to personnel who need it to operate the service, and they are bound by confidentiality obligations. We never use your customers' data for our own marketing.

§ 03

Subprocessors

The current subprocessors that may handle your customers' personal data:

  • Hetzner Online GmbH — hosting — Germany
  • Cloudflare, Inc. — content delivery, security, object storage — global (US HQ)
  • Backblaze, Inc. — encrypted backup storage — EU (Amsterdam region)
  • Brevo SAS — email delivery — France

Payment providers you connect to your storefront (Stripe, PayPal, bank transfer) act for you directly under your own agreements with them — they are your processors, not our subprocessors.

We'll give you at least 30 days' email notice before a new subprocessor handles your customers' data.

§ 04

Security measures

  • Encryption in transit (TLS) across all connections
  • Nightly backups, encrypted on our servers before upload and stored in the EU
  • Least-privilege access to production systems
  • Web application firewall and DDoS protection at the network edge (Cloudflare)
  • Containerised services on an isolated internal network
§ 05

Breach notification

If we become aware of a personal data breach affecting your customers' data, we will notify you without undue delay, and share what we know — the nature and scope of the breach, its likely consequences, and the measures taken — so you can meet your own notification obligations as Controller.

§ 06

Deletion & return

When you close your account, email [email protected] and we'll return your customers' data in a machine-readable format and delete it from live systems on request. Backup copies age out of the backup rotation automatically.

§ 07

International transfers

Customer data is hosted and backed up in the EU (Germany; Amsterdam region for backups). Where a subprocessor processes data outside the UK/EU, the transfer is covered by the UK's approved safeguards, as described in our Privacy Policy.

Need this DPA countersigned, or have a question?

Email legal@ and we'll sort it out.

Email legal@ →